Home

Awesome

xssmap

xssmap is a tiny tool to scan for (DOM)XSS vulnerabilities by using a headless browser based on webkit (PhantomJS). This enables evaluation of attack vectors and is nearly false positive free.

Requirements

Installation

  1. Install the phantomjs command line tool.
  2. go get github.com/rverton/xssmap
  3. xssmap -h

Usage

XSSMAP v0.1. github.com/rverton/xssmap

Usage:
    xssmap [--method=<method>] [--data=<data>] [--json] [--failed] [--payloads=<payloads.txt>] URL
    xssmap -h | --help
    xssmap --version

Arguments:
    URL  insert {XSS} as a placeholder for payloads

Options:
    --failed  Show failed attempts.
    --json  Use JSON as output format.
    -h --help  Show this screen.
    --version  Show version.

Example:
    xssmap http://server.com/foo{XSS}
    xssmap --method=POST --data="foo={XSS}" http://server.com/vuln
    xssmap --failed http://server.com/foo#{XSS}

Payloads

Payloads are located in payloads.txt. xssmap checks if window.xssmap is defined. All payloads are either

Most of payloads were slightly modified from ra2-dom-xss-scanner.

License

MIT