# Intro - Almost all Web Application Vulnerability Scanners (like [Nessus](https://www.tenable.com/products/nessus), [Burp Pro](https://portswigger.net/burp/pro), or [ZAP](https://www.zaproxy.org/)) have various capabilities for detecting all three types of XSS vulnerabilities - These scanners usually do two types of scanning: A Passive Scan, which reviews client-side code for potential DOM-based vulnerabilities, and an Active Scan, which sends various types of payloads to attempt to trigger an XSS through payload injection in the page source - Some of the common open-source tools that can assist us in XSS discovery are [XSS Strike](https://github.com/s0md3v/XSStrike), [Brute XSS](https://github.com/rajeshmajumdar/BruteXSS), and [XSSer](https://github.com/epsylon/xsser) - Setting up `XSS Strike` ```bash git clone https://github.com/s0md3v/XSStrike.git cd XSStrike pip install -r requirements.txt python xsstrike.py XSStrike v3.1.4 ...SNIP... ``` - Running `XSS Strike` ```bash python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test" XSStrike v3.1.4 [~] Checking for DOM vulnerabilities [+] WAF Status: Offline <SNIP> ``` # Manual Discovery - When it comes to manual XSS discovery, the difficulty of finding the XSS vulnerability depends on the level of security of the web application - Basic XSS vulnerabilities can usually be found through testing various XSS payloads, but identifying advanced XSS vulnerabilities requires advanced code review skills - We can then begin testing these payloads one by one by copying each one and adding it in our form, and seeing whether an alert box pops up - You will notice that the majority of the above payloads do not work with our example web applications, even though we are dealing with the most basic type of XSS vulnerabilities - This is because these payloads are written for a wide variety of injection points (like injecting after a single quote) or are designed to evade certain security measures (like sanitization filters) - Furthermore, such payloads utilize a variety of injection vectors to execute JavaScript code, like basic `<script>` tags, other `HTML Attributes` like `<img>`, or even `CSS Style` attributes - This is why we can expect that many of these payloads will not work in all test cases, as they are designed to work with certain types of injections - So it is not very efficient to resort to manually copying/pasting XSS payloads, as even if a web application is vulnerable, it may take us a while to identify the vulnerability, especially if we have many input fields to test # Code Review - The most reliable method of detecting XSS vulnerabilities is manual code review, which should cover both back-end and front-end code - If we understand precisely how our input is being handled all the way until it reaches the web browser, we can write a custom payload that should work with high confidence # Exercise - try without payload - successful registration ![[images/Pasted image 20251212210331.png]] - test this page with XSStrike > reflections found for email ![[images/Pasted image 20251212211222.png]]