Cross-Site Scripting

How to exploit cross-site scripting (XSS).

Standard XSS

Dalfox

Dalfox is a powerful open-source XSS scanner and utility focused on automation.

https://github.com/hahwul/dalfox

The following command will take a HTTP request saved to a file named HTTPREQUEST and look for XSS, including blind XSS if you use the -b flag with a blind XSS URL.

dalfox file --rawdata HTTPREQUEST -b <blind_xss_link>

The following command will take a URL and look for XSS, including blind XSS if you use the -b flag with a blind XSS URL.

dalfox url URL -b <blind_xss_link>

Blind XSS

XSSHunter

XSSHunter provides a weaponised URL to insert into XSS payloads to test for blind XSS. The easiest way to use XSSHunter, is by using TruffleSecuritys own platform.

https://xsshunter.trufflesecurity.com/app/#/

For those that are more security and privacy conscious. You may wish to setup a private instance:

https://github.com/trufflesecurity/xsshunter

PreviousSQL Injection NextHTTP Headers

Last updated 1 year ago