hacktricks/pentesting-web/xss-cross-site-scripting/xss-tools.md

# Ferramentas de XSS

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para o [repositório hacktricks](https://github.com/carlospolop/hacktricks) e [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

## XSStrike
```bash
git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip install -r requirements.txt
python xsstrike.py

python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test" 
```
**Uso básico (Get):**\
python3 xsstrike.py --headers -u "http://localhost/vulnerabilities/xss\_r/?name=asd"\
**Uso básico (Post):**\
python xsstrike.py -u "http://exemplo.com/search.php" --data "q=consulta"\
**Crawling (profundidade padrão = 2):**\
python xsstrike.py -u "http://exemplo.com/pagina.php" --crawl -l 3\
**Encontrar parâmetros ocultos:**\
python xsstrike.py -u "http://exemplo.com/pagina.php" --params\
**Extra:**\
\--headers #Definir cabeçalhos personalizados (como cookies). É necessário definir a cada vez\
\--skip-poc\
\--skip-dom #Pular a verificação de XSS no DOM

## BruteXSS
```
git clone https://github.com/rajeshmajumdar/BruteXSS
```
Ferramenta para encontrar parâmetros vulneráveis (GET ou POST) para XSS usando uma lista de payloads com interface gráfica.\
Cabeçalhos personalizados (como cookies) não podem ser configurados.

## XSSer

[https://github.com/epsylon/xsser](https://github.com/epsylon/xsser)\
Já vem instalado no Kali.\
Ferramenta completa para encontrar XSS.

**Uso básico (GET):**\
\
A ferramenta não envia o payload:(

## XSSCrapy
```
git clone https://github.com/DanMcInerney/xsscrapy
```
Não recomendado. Muita saída desnecessária e não funciona corretamente.

## Dalfox

[https://github.com/hahwul/dalfox](https://github.com/hahwul/dalfox)

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para o [repositório hacktricks](https://github.com/carlospolop/hacktricks) e [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`# Ferramentas de XSS`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

update twitter 2023-04-25 18:35:28 +00:00			`<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* Você trabalha em uma empresa de segurança cibernética? Você quer ver sua empresa anunciada no HackTricks? ou você quer ter acesso à última versão do PEASS ou baixar o HackTricks em PDF? Confira os [PLANOS DE ASSINATURA](https://github.com/sponsors/carlospolop)!`
			`* Descubra [A Família PEASS](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Adquira o [swag oficial do PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Junte-se ao [💬](https://emojipedia.org/speech-balloon/) [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-me no Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Compartilhe suas técnicas de hacking enviando PRs para o [repositório hacktricks](https://github.com/carlospolop/hacktricks) e [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

GitBook: [#3539] No subject 2022-10-03 09:49:04 +00:00			`## XSStrike`
			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`git clone https://github.com/s0md3v/XSStrike.git`
GitBook: [#3539] No subject 2022-10-03 09:49:04 +00:00			`cd XSStrike`
			`pip install -r requirements.txt`
			`python xsstrike.py`

			`python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`Uso básico (Get):\`
GitBook: [#3539] No subject 2022-10-03 09:49:04 +00:00			`python3 xsstrike.py --headers -u "http://localhost/vulnerabilities/xss\_r/?name=asd"\`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`Uso básico (Post):\`
			`python xsstrike.py -u "http://exemplo.com/search.php" --data "q=consulta"\`
			`Crawling (profundidade padrão = 2):\`
			`python xsstrike.py -u "http://exemplo.com/pagina.php" --crawl -l 3\`
			`Encontrar parâmetros ocultos:\`
			`python xsstrike.py -u "http://exemplo.com/pagina.php" --params\`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`Extra:\`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`\--headers #Definir cabeçalhos personalizados (como cookies). É necessário definir a cada vez\`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\--skip-poc\`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`\--skip-dom #Pular a verificação de XSS no DOM`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#3539] No subject 2022-10-03 09:49:04 +00:00			`## BruteXSS`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`git clone https://github.com/rajeshmajumdar/BruteXSS`
			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`Ferramenta para encontrar parâmetros vulneráveis (GET ou POST) para XSS usando uma lista de payloads com interface gráfica.\`
			`Cabeçalhos personalizados (como cookies) não podem ser configurados.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#3539] No subject 2022-10-03 09:49:04 +00:00			`## XSSer`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`[https://github.com/epsylon/xsser](https://github.com/epsylon/xsser)\`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`Já vem instalado no Kali.\`
			`Ferramenta completa para encontrar XSS.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`Uso básico (GET):\`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`A ferramenta não envia o payload:(`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#3539] No subject 2022-10-03 09:49:04 +00:00			`## XSSCrapy`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`git clone https://github.com/DanMcInerney/xsscrapy`
			```
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`Não recomendado. Muita saída desnecessária e não funciona corretamente.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#3539] No subject 2022-10-03 09:49:04 +00:00			`## Dalfox`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`[https://github.com/hahwul/dalfox](https://github.com/hahwul/dalfox)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

update twitter 2023-04-25 18:35:28 +00:00			`<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* Você trabalha em uma empresa de segurança cibernética? Você quer ver sua empresa anunciada no HackTricks? ou você quer ter acesso à última versão do PEASS ou baixar o HackTricks em PDF? Confira os [PLANOS DE ASSINATURA](https://github.com/sponsors/carlospolop)!`
			`* Descubra [A Família PEASS](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Adquira o [swag oficial do PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Junte-se ao [💬](https://emojipedia.org/speech-balloon/) [grupo do Discord](https://discord.gg/hRep4RUj7f) ou ao [grupo do telegram](https://t.me/peass) ou siga-me no Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Compartilhe seus truques de hacking enviando PRs para o [repositório hacktricks](https://github.com/carlospolop/hacktricks) e [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`