Home

Awesome

NoXss

found issues release license

NoXss is a cross-site script vulnerability scanner supported reflected xss and dom-based xss. It's very fast and suitable for testing millions of urls. It has found some xss vulnerabilities in Bug Bounty program.

Features

Directory

├── engine.py
├── logo
├── cookie.py
├── url.txt
├── cookie
│   └── test.com_cookie
├── traffic
│   ├── 49226b2cbc77b71b.traffic    #traffic file(pickled)
│   └── 49226b2cbc77b71b.reflect    #reflected file(pickled)
├── config.py
├── start.py
├── url.txt.filtered    #filtered urls
├── util.py
├── README.md
├── banner.py
├── requirements.txt
├── result
│   └── 49226b2cbc77b71b-2019_10_29_11_24_44.json   #result
├── model.py
└── test.py

Screenshot

s1

Environment

Linux
Python2.7
Browser:Phantomjs or Chrome

Install

Ubuntu

Centos

MacOS


If you want to scan use "--browser=chrome",you must install chrome mannually. You can use "--check" to test the installation.
python start.py --check

Usage

python start.py --url url --save
python start.py --url url --cookie cookie --browser chrome --save  
python start.py --url url --cookie cookie --browser chrome-headless --save  
python start.py --file ./url.txt --save  
python start.py --burp ./test.xml --save  
python start.py --file file --filter

Options

--url scan from url.
--id rescan from *.traffic file by task id.
--file scan urls from text file(like ./url.txt).
--burp scan *.xml(base64 encoded,like ./test.xml) from burpsuite proxy.
--process number of process.
--coroutine number of coroutine.
--cookie use cookie.
--filter filter urls.
--browser use browser(chrome,chrome-headless or phantomjs) to scan,it's good at DOM-based xss but slow.
--save save results to ./result/id.json.
--clear delete traffic files after scanning.

How to scan data from Burpsuite

In Proxy,"Save items" ==> "test.xml"
s3
Then you can scan test.xml:
python start.py --burp=./test.xml

How to rescan

After scanning firstly,there will be taskid.traffic and taskid.reflect in ./traffic/:

How does NoXss work?

Payloads

NoXss use only 8 payloads for scanning.These payloads are based on param's reflected position.Fewer payloads make it faster than fuzzing.

Async&multi-process

NoXss is highly concurrent for using coroutine.

Support dom-based xss

More and more page is using dom to render html.NoXss can parse it with using Phantomjs(default) or chrome.

Analysis files

Some xss is difficult to scan.NoXss will save some files in traffic/ for analysing,include:

Example

As you see in Screenshot,the poc is https://xxx/?proxyAccount=xssjs%22%3B&shareName=duhxams,That means use the payload xssjs%22%3B in param "proxyAccount":
poc
Then you can end the double qoutes use payload xssjs";alert(1);//.The final exploit is:
https://xxx.com/?proxyAccount=xssjs";alert(1);//&shareName=duhxams