XssPy – Web Application XSS Scanner

XssPy is a python tool for finding Cross-Site Scripting vulnerabilities in websites. This tool is the first of its kind. Instead of just checking one page as most of the tools do, this tool traverses the website and find all the links and subdomains first. After that, it starts scanning each and every input on each and every page that it found while its traversal. It uses small yet effective payloads to search for XSS vulnerabilities.

The tool has been tested parallel with paid Vulnerability Scanners and most of the scanners failed to detect the vulnerabilities that the tool was able to find. Moreover, most paid tools scan only one site whereas XSSPY first finds a lot of subdomains and then scans all the links altogether. The tool comes with:

  1. Short Scanning
  2. Comprehensive Scanning
  3. Finding subdomains
  4. Checking every input on every page

With this tool, Cross Site Scripting vulnerabilities have been found in the websites of MIT, Stanford, Duke University, Informatica, Formassembly, ActiveCompaign, Volcanicpixels, Oxford, Motorola, Berkeley and many more.

Requirements:

  • Termux from the play store.
  • Mobile data / wifi connection.

Requirements for Pc

  • Kali Linux

Steps To Use

  1. First type ‘ pkg install python2 git ‘.
  2. Now type ‘ git clone https://github.com/faizann24/XssPy.git ‘.
  3. Now type ‘ cd XssPy ‘
  4. Now type ‘ pip install mechanize ‘
  5. Type ‘ chmod +x XssPy.py ‘ to give it permissions for execution
  6. The last step to start XssPy is ‘ python XssPy.py -h ‘.
  7. Now to scan a website type ‘ python XssPy.py -u youwebsite.com ‘ and follow the instructions.

For Pc

Installation:

Type the following in the terminal.

git clone https://github.com/faizann24/XssPy/ /opt/xsspy

The tool works on Python 2.7 and you should have mechanize installed. If mechanize is not installed, type “pip install mechanize” in the terminal.

You will also need the mechanize distribution, you can install it with pip: pip install mechanize

Usage:

python XssPy.py website.com (Do not write www.website.com OR http://www.website.com)

Follow Me on Facebook Shahid Malla

Kali Linux, Termux