№8. ScannerBox. Multiple types of cross-site script detection

10 April 2023 5 minutes Author: Endpool

Cross-Site Scripts – Be Careful!

Cross-site scripting is a type of attack on web systems, which consists in introducing malicious code issued by the web system into a page (which will be executed on the user’s computer when he opens this page) and the interaction of this code with the attacker’s web server. Is a type of “Code Injection” attack. The specificity of such attacks is that the malicious code can use the user’s authorization in the web system to gain extended access to it. Malicious code can be inserted into a page either through a vulnerability in the web server or through a vulnerability on the user’s computer. For a long time, programmers did not pay due attention to them, considering them to be safe. However, this is a misconception: the page can contain very sensitive data (for example, the administrator session ID or payment document numbers), and where there is no CSRF protection, an attacker can perform any action available to the user. Cross-site scripting can be used to launch a DoS attack. This code can perform malicious actions, such as collecting sensitive information, changing the appearance of the page, sending requests to the server that perform malicious actions, and others.

An attacker can insert the script anywhere on the page, including form fields, comments, URLs. Cross-site scripting is one of the most common and high-risk WordPress vulnerabilities. XSS attacks are so common because, unlike other security vulnerabilities, they are very difficult to fix. Even if you have built-in protection, it’s very easy to make mistakes that allow cross-site scripting. Just one mistake in your web page’s HTML or JavaScript can leave your site vulnerable to cross-site scripting attacks.

Types of cross-site script detection

Shuriken is a command-line XSS tool for testing XSS payload lists

Shuriken was developed by Shogun Lab as an open source cross-site scripting (XSS) command-line utility to assist web security researchers who want to check a list of XSS payloads in a web application. This allows the tester to easily modify payload lists, log results, and take screenshots of successful payloads. It should only be used for valid purposes that have consented to pentesting. Before using this tool against a web application, make sure you have permission.

click here

XSStrike – Fuzz and bruteforce options for XSS, WAF detection and bypassing

XSStrike is a cross-site script detection suite equipped with four handwritten parsers, an intelligent payload generator, a powerful fuzzing engine, and an incredibly fast scanner. Instead of injecting payloads and verifying that they work like all other tools do, XSStrike parses the response using multiple parsers and then creates payloads that are guaranteed to work using contextual analysis integrated with a fuzzing engine. In addition, XSStrike also has scanning, fuzzing, parameter detection and WAF detection capabilities. It also looks for DOM XSS vulnerabilities.

click here

Domdig – DOM XSS scanner for single page applications

DOMDig is a DOM XSS scanner that runs on the Chromium web browser and can recursively scan Single Page Applications (SPAs). Unlike other scanners, DOMDig can scan any web application (including gmail) by tracking DOM modifications and XHR/fetch/websocket requests, and can simulate real user interaction by triggering events. During this process, XSS payloads are injected into input fields and their execution is tracked to find injection points and corresponding URL modifications. It is based on htcrawl , a node library powerful enough to easily crawl a gmail account.

click here

PwnXSS – Powerful XSS scanner for Python 3.7

PwnXSS is a free and open source tool that can be found on Github. It is specifically designed to find cross-site scripts. PwnXSS is written in python. Our Kali Linux system should have Python 3.7 installed. Many websites are vulnerable to cross-site scripting (XSS). This tool simplifies the process of detecting cross-site scripts. PwnXSS works as a scanner. With millions of websites and web applications on the internet, the question arises whether our website is secure or not. The security of our site is extremely important. XSS or cross-site scripting is a vulnerability used to hack websites. This tool simplifies the detection of such vulnerabilities.

click here

Dalfox is a parameter analysis and XSS scanning tool based on golang

Dalfox is a fast parameter analysis and cross-site scripting (XSS) scanner based on a DOM (Document Object Model) parser. XSS Dalfox has some additional features that check for SQL injection (SQLi), server-side template injection (SSTI), and open redirects. Dalfox is a tool based on the Golang language. Dalfox is also able to find displayed, stored and blind XSS in the target web application. The basic concept is to parse parameters, look for XSS and validate them based on a DOM parser. Key Features: Dalfox performs parameter analysis to find displayed parameters. Dalfox finds free/evil characters and determines the entry point Dalfox performs static analysis, checks for bad headers like CSP, X-Frame Options, etc. Dalfox executes optimization queries for payloads, validates the implementation point with abstraction, and generates the payload.

click here

Found an error?
If you find an error, take a screenshot and send it to the bot.