Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

xsstrike

Package Overview
Dependencies
Maintainers
2
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

xsstrike

XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler. Instead of injecting payloads and checking it works like all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine.

  • 3.2.2
  • PyPI
  • Socket score

Maintainers
2


XSStrike
XSStrike

Advanced XSS Detection Suite

multi xss

XSStrike WikiUsageFAQFor DevelopersCompatibilityGallery

XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.

Instead of injecting payloads and checking it works like all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine. Here are some examples of the payloads generated by XSStrike:

}]};(confirm)()//\
<A%0aONMouseOvER%0d=%0d[8].find(confirm)>z
</tiTlE/><a%0donpOintErentER%0d=%0d(prompt)``>z
</SCRiPT/><DETAILs/+/onpoINTERenTEr%0a=%0aa=prompt,a()//

Apart from that, XSStrike has crawling, fuzzing, parameter discovery, WAF detection capabilities as well. It also scans for DOM XSS vulnerabilities.

Main Features

  • Reflected and DOM XSS scanning
  • Multi-threaded crawling
  • Context analysis
  • Configurable core
  • WAF detection & evasion
  • Outdated JS lib scanning
  • Intelligent payload generator
  • Handmade HTML & JavaScript parser
  • Powerful fuzzing engine
  • Blind XSS support
  • Highly researched work-flow
  • Complete HTTP support
  • Bruteforce payloads from a file
  • Powered by Photon, Zetanize and Arjun
  • Payload Encoding

Documentation

FAQ

DOM XSS

dom xss

Reflected XSS

multi xss

Crawling

crawling

Fuzzing

fuzzing

Bruteforcing payloads from a file

bruteforcing

Interactive HTTP Headers Prompt

headers

Hidden Parameter Discovery

arjun

Contribution, Credits & License

Ways to contribute

  • Suggest a feature
  • Report a bug
  • Fix something and open a pull request
  • Help me document the code
  • Spread the word

Licensed under the GNU GPLv3, see LICENSE for more information.

The WAF signatures in /db/wafSignatures.json are taken & modified from sqlmap. I extracted them from sqlmap's waf detection modules which can found here and converted them to JSON.
/plugins/retireJS.py is a modified version of retirejslib.

Keywords

FAQs


Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc