
XSStrike: XSS detection suite - godfrzero
https://github.com/s0md3v/XSStrike
======
strictnein
Just a word of caution: Running tools like this from your home IP address is a
good way of getting banned from the Internet* by Akamai.

* (yes, yes, you're not banned from the Internet, but you'll be surprised by all the sites you visit that sit behind Akamai)

Some ISPs are relatively easy to get a new IP address on, others are rather
difficult, so don't be dumb, use protection: a VPN.

~~~
kokx
Just don't run it against anything for which you do not have permission to run
such tools.

Running a tool like this against your favorite websites, is a simple way of
getting banned from your favorite websites.

~~~
strictnein
Even sites that have bug bounties don't turn off their WAF for you. So you can
have permission to run some tools against them, but still anger Akamai.

------
rynop
If you’re going to use this against a site that runs in AWS, make sure to
request permission first @ [https://aws.amazon.com/security/penetration-
testing](https://aws.amazon.com/security/penetration-testing)

Thx for the oss contribution-Looking forward to trying this out

~~~
dyu
Interestingly, as of last year Azure no longer requires advance notice:
[https://www.microsoft.com/en-us/msrc/pentest-rules-of-
engage...](https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement)

------
algorithm_dk
Having used XSSStrike, I must say it probably is the best _public_ tool for
hunting XSS.

~~~
chii
Is there a private tool that only those in the know can use?

~~~
thawab
He might meant public as free/open source. Commercial XSS tools that comes to
my mind is [https://www.blueclosure.com/](https://www.blueclosure.com/) .

------
yawz
(Hoping that the author(s) is (are) here) Thank you for working on and sharing
a great tool. I spotted two typos on the main site:

“...payload generator generates patloads which are...” patloads -> payloads.

“...flaunting it's genius backend.” it’s -> its.

~~~
dean177
Submit a PR, the author will definately see it.

------
LiveOverflow
Must be advanced because:

> Throw away your paid tools because this is some God level shit. Now with 4
> hand written parsers, an intelligent payload generator, powerful fuzzing
> engine, DOM scanner, hidden parameter discovery and an incredibly fast
> crawler. F*cking retweet it!

\-
[https://twitter.com/s0md3v/status/1061255510677057537](https://twitter.com/s0md3v/status/1061255510677057537)

> Exactly, that's why you have no idea how it works and all. Well, it took me
> a month and being a developer of 30+ open source software, this is the first
> time I am saying this is some God level shit and I mean it.

\-
[https://twitter.com/s0md3v/status/1061662698335723520](https://twitter.com/s0md3v/status/1061662698335723520)

~~~
UncleMeat
Why the heck would "four hand written parsers" be a selling point?

~~~
tptacek
[https://www.theonion.com/fuck-everything-were-doing-five-
bla...](https://www.theonion.com/fuck-everything-were-doing-five-
blades-1819584036)

------
simplegeek
Does this work on web-pages behind a login?

~~~
amatera
You can supply your own http headers. So i guess you can send cookies and that
things with it.

------
provolone
No support for base64 encoded parameters?

------
lysp
Spelling error on the very first image example: "Cofidence"

~~~
latchkey
I submitted a PR to fix the mistake before I read the comment here.

------
balibebas
Great! Thanks for sharing this. Mirrored.
[https://git.habd.as/comfusion/XSStrike](https://git.habd.as/comfusion/XSStrike)

