Home

Awesome

xsscrapy

Fast, thorough, XSS/SQLi spider. Give it a URL and it'll test every link it finds for cross-site scripting and some SQL injection vulnerabilities. See FAQ for more details about SQLi detection.

From within the main folder run:

./xsscrapy.py -u http://example.com

If you wish to login then crawl:

./xsscrapy.py -u http://example.com/login_page -l loginname

If you wish to login with HTTP Basic Auth then crawl:

./xsscrapy.py -u http://example.com/login_page -l loginname --basic

If you wish to use cookies:

./xsscrapy.py -u http://example.com/login_page --cookie "SessionID=abcdef1234567890"

If you wish to limit simultaneous connections to 20:

./xsscrapy.py -u http://example.com -c 20

If you want to rate limit to 60 requests per minute:

./xsscrapy.py -u http://example.com/ -r 60

XSS vulnerabilities are reported in xsscrapy-vulns.txt

Dependencies

wget -O -u https://bootstrap.pypa.io/get-pip.py
python get-pip.py
pip install -r requirements.txt

May need additional libraries depending on OS. libxml2 libxslt zlib libffi openssl (sometimes libssl-dev)

Tests

FAQ

License

Copyright (c) 2014, Dan McInerney All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.