Introduction

  • In this post we will cover the basics of XSS automation using Paramspider and kxss applicable in pentesting and Bug Bounties

Prerequisites

  • Paramspider

  • kxss

What is XSS

XSS (Cross-Site Scripting) is a type of security vulnerability that can be found in web applications. It allows an attacker to inject malicious code, such as scripts, into a web page viewed by other users. This can lead to the theft of sensitive information, such as login credentials or personal data, and can also be used to hijack user sessions or redirect users to malicious websites. The severity of an XSS vulnerability can range from minor annoyance to significant risk to the security of a web application and its users.

What are parameters

“….URL parameters or query strings are the part of a URL that typically comes after a question mark (?) and are used to pass data along with the URL. They can be active parameters that modify page content or passive parameters that are mostly used for tracking and do not change the content” url parameters

What is Paramspider

Paramspider is a tool by devanshbatham that allows one to fetch URLs related to any domain or a list of domains from Wayback achives. It also filters out “boring” URLs, allowing you to focus on the ones that matter the most. About

installation

▶ git clone https://github.com/devanshbatham/paramspider
▶ cd paramspider
▶ pip install .

usage

paramspider -d example.com

image

What is kxss

Emoe’s kxss is a tool adapted from Tomnomnom’s kxss hacks script the general idea behind the tools logic is that :

  • Take URLs with params on stdin. These might have come from waybackurls or maybe a Burp session
  • Request the URLs, check the response body for any reflected parameters. There will be many false positives here.
  • For any reflected parameters, re-request with some random alphanumeric value appended to the param, Only one param is appended to at a time. This is to avoid breaking the request when a different param is required

Installation


▶ go install https://github.com/Emoe/kxss@latest

usage

  • In our case we will use the urls fethed from Parampider into kxss

▶ cat output/example.com.txt | kxss

image

Cleaning up the results


input_filename = "unfiltered.txt"
output_filename = "filtered_output.txt"

with open(input_filename, 'r') as infile, open(output_filename, 'w') as outfile:
    for line in infile:
        if "Unfiltered: []" not in line:
            outfile.write(line)

print(f"Filtered results have been saved to {output_filename}")

## simple python script to remove empty Unfiltered [] results from kxss output

image

  • Having a smaller list of potentially vulnerable parameters with unfiltered characters we can proceed to craft xss payloads that may trigger, otherwise one can use other xss automation tools like Xsstrike, Nuclei, Dalfox etc.

POC

image