Requirement’s
- Linux
- Git package
- Python package
How to Install and use
From within the main folder run:
./xsscrapy.py -u http://example.com
If you wish to login then crawl:
./xsscrapy.py -u http://example.com/login_page -l loginname
If you wish to login with HTTP Basic Auth then crawl:
./xsscrapy.py -u http://example.com/login_page -l loginname –basic
If you wish to use cookies:
./xsscrapy.py -u http://example.com/login_page –cookie “SessionID=abcdef1234567890”
If you wish to limit simultaneous connections to 20:
./xsscrapy.py -u http://example.com -c 20
If you want to rate limit to 60 requests per minute:
./xsscrapy.py -u http://example.com/ -r 60
XSS vulnerabilities are reported in xsscrapy-vulns.txt
Dependence
wget -O https://bootstrap.pypa.io/get-pip.py
python get-pip.pypip install -r requirements.txt
May need additional libraries depending on OS. libxml2 libxslt zlib libffi openssl (sometimes libssl-dev)
Tests
- Cookies
- User-Agent
- Referer
- URL variables
- End of URL
- URL path
- Forms both hidden and explicit
FAQ
- If it gives an error : ImportError: cannot import name LinkExtractor. This means that you don’t have the latest version of scrapy. You can install it using: sudo pip install –upgrade scrapy.
- It’s called XSScrapy, so why SQL injection detection too? There is overlap between dangerous XSS chars and dangerous SQL injection characters, namely single and double quotes. Detecting SQL injection errors in a response is also simple and nonCPU-intensive. So although 99% of this script is strongly geared toward high and accurate detection of XSS adding simple SQL injection detection through error message discovery is a simple and effective addition. This script will not test for blind sql injection. Error messages it looks for come straight from w3af’s sqli audit plugin.
إرسال تعليق