MCPcopy
hub / github.com/s0md3v/XSStrike

github.com/s0md3v/XSStrike @3.1.6 sqlite

repository ↗ · DeepWiki ↗ · release 3.1.6 ↗
74 symbols 407 edges 27 files 3 documented · 4%
README

XSStrike XSStrike

Advanced XSS Detection Suite

multi xss

XSStrike WikiUsageFAQFor DevelopersCompatibilityGallery

XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.

Instead of injecting payloads and checking it works like all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine. Here are some examples of the payloads generated by XSStrike:

}]};(confirm)()//\
<A%0aONMouseOvER%0d=%0d[8].find(confirm)>z
</tiTlE/><a%0donpOintErentER%0d=%0d(prompt)``>z
</SCRiPT/>

<img src="https://raw.githubusercontent.com/s0md3v/s0md3v.github.io/refs/heads/main/imgs/inline/iproyal.png"></a>

### Main Features
- Reflected and DOM XSS scanning
- Multi-threaded crawling
- Context analysis
- Configurable core
- WAF detection & evasion
- Outdated JS lib scanning
- Intelligent payload generator
- Handmade HTML & JavaScript parser
- Powerful fuzzing engine
- Blind XSS support
- Highly researched work-flow
- Complete HTTP support
- Bruteforce payloads from a file
- Powered by [Photon](https://github.com/s0md3v/Photon), [Zetanize](https://github.com/s0md3v/zetanize) and [Arjun](https://github.com/s0md3v/Arjun)
- Payload Encoding

### Installation
Enter the following commands one by one in terminal:

git clone https://github.com/s0md3v/XSStrike cd XSStrike pip install -r requirements.txt --break-system-packages


Now, XSStrike can be used at any time as follows:

python xsstrike.py ```

Documentation

FAQ

Gallery

DOM XSS

dom xss

Reflected XSS

multi xss

Crawling

crawling

Fuzzing

fuzzing

Bruteforcing payloads from a file

bruteforcing

Interactive HTTP Headers Prompt

headers

Hidden Parameter Discovery

arjun

Contribution, Credits & License

Ways to contribute - Suggest a feature - Report a bug - Fix something and open a pull request - Help me document the code - Spread the word

Licensed under the GNU GPLv3, see LICENSE for more information.

The WAF signatures in /db/wafSignatures.json are taken & modified from sqlmap. I extracted them from sqlmap's waf detection modules which can found here and converted them to JSON.\ /plugins/retireJS.py is a modified version of retirejslib.

Core symbols most depended-on inside this repo

format
called by 21
core/log.py
requester
called by 13
core/requester.py
setup_logger
called by 11
core/log.py
getVar
called by 10
core/utils.py
genGen
called by 6
core/utils.py
e
called by 5
core/zetanize.py
d
called by 5
core/zetanize.py
is_defined
called by 5
plugins/retireJs.py

Shape

Function 70
Class 2
Method 2

Languages

Python100%

Modules by API surface

core/utils.py23 symbols
plugins/retireJs.py16 symbols
core/log.py14 symbols
core/zetanize.py3 symbols
core/photon.py2 symbols
modes/singleFuzz.py1 symbols
modes/scan.py1 symbols
modes/crawl.py1 symbols
modes/bruteforcer.py1 symbols
core/wafDetector.py1 symbols
core/updater.py1 symbols
core/requester.py1 symbols

For agents

$ claude mcp add XSStrike \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact