Show HN: Browser-based XSS scanner | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

		Show HN: Browser-based XSS scanner (github.com/dshieble)
		57 points by gigalord 84 days ago \| hide \| past \| favorite \| 2 comments

		This is a simple single-file python program that can find basic XSS (cross-site scripting) vulnerabilities in a target url. Most XSS discovery tools use a payload refelection strategy in which payloads are injected in url parameters and the GET response is inspected for places where the payload content is reflected. This is a very low precision XSS detection strategy because most reflection does not support execution. This program uses a different approach, and instead opens the target url in a browser, tests alert(...) payloads directly in the browser context, and listens for an alert being triggered. This means that any XSS spotted by this program is extremely unlikely to be a false positive.

eur0pa 83 days ago [–]

I appreciate the effort, however that list of payloads is a great way to get your IP address banned by Akamai and others. There are better ways to discover injection points without poking trigger-happy WAFs.

JosephRedfern 83 days ago | [–]

I don't think OP is suggesting that the payload list is the interesting thing here, rather the overall approach

Consider applying for YC's W25 batch! Applications are open till Nov 12.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact