Skip to content

NCRIF/xstrike

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
xstrike
xstrike
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
install.sh
install.sh
 
 
pyproject.toml
pyproject.toml
 
 
uninstall.sh
uninstall.sh
 
 
xss_small.txt
xss_small.txt
 
 
xss_waf_bypass.txt
xss_waf_bypass.txt
 
 

Repository files navigation

xstrike

XSS fuzzer with spider + DOM detection

installing

git clone https://github.com/NCRIF/xstrike.git
cd xstrike && ./install.sh

uninstall: ./uninstall.sh

usage

xstrike -u "https://target.com/search?q=XERO" -w payloads.txt -xss
xstrike -u "https://target.com" --crawl -co endpoints.yaml
xstrike -u "https://target.com" --crawl -w payloads.txt -xss -o results.yaml
xstrike -u "https://target.com" --crawl -w payloads.txt -xss -M 1
xstrike --from-file endpoints.yaml -w payloads.txt -xss -o results.yaml

XERO gets replaced with each payload. Crawl finds forms, links, and js sinks. -M 1 loads ~/.config/xstrike/presets/1.yaml.

flags

-u        target URL (XERO = injection point)
-w        wordlist file or URL
-xss      adaptive mode (probe -> adapt -> fuzz)
--crawl   spider the target for injection points
--from-file  read endpoints from yaml or txt
-co       save crawl output
-o        save fuzz results
-m        GET/POST/PUT
-d        POST body (use XERO placeholder)
-H        custom header (repeatable)
-c        cookie
-p        proxy
-t        threads + crawl concurrency (10)
--max-pages  spider depth (-1 for all)
--delay   delay between requests
--timeout request timeout
-M        preset number
-ua       custom user-agent
-h        help

output

xstrike -u https://target.com --crawl -w payloads.txt -xss -t 40 -o results.yaml

[*] crawling https://target.com...
  [1/30] https://target.com (1 hits)
  [2/30] https://target.com/search.php (3 hits)
[+] 19 injection points

  waf=False ctx=encoded dom=False

[fuzz] 0/17 done, 17 running | on search.php?q=XERO
[fuzz] xss_r/?name=XERO | 45/247 hit: <svg onload=alert(0)>
[fuzz] 12/17 done, 5 running | H:247 D:4 B:0 | on logout.php?user=XERO

[+] fuzz complete
  saved: results.yaml

presets

~/.config/xstrike/presets/1.yaml - full crawl + fuzz

wordlist: xss_waf_bypass.txt
crawl: true
co_output: endpoints.yaml
max_pages: -1
xss: true
threads: 40
output: results.yaml

~/.config/xstrike/presets/2.yaml - fuzz from saved endpoints

wordlist: xss_waf_bypass.txt
from_file: endpoints.yaml
xss: true
threads: 40
output: results.yaml

-M 1 loads preset 1. CLI flags override preset values. presets ship in config/presets/ and get copied to ~/.config/xstrike/presets/ by install.sh.

plan

xstrike started as XSS but it won't stop there. the goal is a single CLI tool that covers the boring parts of web testing so I don't have to switch between 5 different scripts.

  • XSS fuzzing with probe + adapt + fuzz
  • spider crawling with concurrent page fetches
  • dom-based XSS detection via js sink scanning
  • wordlist generation and waf bypass payloads
  • preset system for saved scan configs
  • sql injection mode
  • open redirect detection
  • file inclusion (lfi/rfi) fuzzing
  • ssti template injection scanning
  • full report generation (pdf, html)
  • plugin system so each module can be loaded separately
  • headless browser verification for dom xss (only if current DOM is inaccurate)
  • authentication handling (login flow, session persistence)

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages