Skip to content

rverton/xssmap

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
README.md
README.md
 
 
main.go
main.go
 
 
payloads.txt
payloads.txt
 
 
phantom.go
phantom.go
 
 
xssmap_test.go
xssmap_test.go
 
 

Repository files navigation

xssmap

xssmap is a tiny tool to scan for (DOM)XSS vulnerabilities by using a headless browser based on webkit (PhantomJS). This enables evaluation of attack vectors and is nearly false positive free.

Requirements

Installation

  1. Install the phantomjs command line tool.
  2. go get github.com/rverton/xssmap
  3. xssmap -h

Usage

XSSMAP v0.1. github.com/rverton/xssmap

Usage:
    xssmap [--method=<method>] [--data=<data>] [--json] [--failed] [--payloads=<payloads.txt>] URL
    xssmap -h | --help
    xssmap --version

Arguments:
    URL  insert {XSS} as a placeholder for payloads

Options:
    --failed  Show failed attempts.
    --json  Use JSON as output format.
    -h --help  Show this screen.
    --version  Show version.

Example:
    xssmap http://server.com/foo{XSS}
    xssmap --method=POST --data="foo={XSS}" http://server.com/vuln
    xssmap --failed http://server.com/foo#{XSS}

Payloads

Payloads are located in payloads.txt. xssmap checks if window.xssmap is defined. All payloads are either

  • setting window.xssmap = true; or
  • calling xssm(), a function which is injected and executes window.xssmap = true.

Most of payloads were slightly modified from ra2-dom-xss-scanner.

License

MIT

About

(DOM-)XSS fuzzer based on phantomjs and go.

Topics

security xss fuzzing pentesting

Resources

Readme
Activity

Stars

34 stars

Watchers

4 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages