Home Unlabelled Xssfuzzer - A Tool Which Generates Xss Payloads Based On User-Defined Vectors Together With Fuzzing Lists

Xssfuzzer - A Tool Which Generates Xss Payloads Based On User-Defined Vectors Together With Fuzzing Lists

By
Tuesday, September 24, 2019
Read
Add Comment

XSS Fuzzer is a elementary application written inwards manifestly HTML/JavaScript/CSS which generates XSS payloads based on user-defined vectors using multiple placeholders which are replaced alongside fuzzing lists.
It offers the possibility to only generate the payloads equally plain-text or to execute them within an iframe. Inside iframes, it is possible to ship GET or POST requests from the browser to arbitrary URLs using generated payloads.

Why?
XSS Fuzzer is a generic tool that tin lav hold out useful for multiple purposes, including:
  • Finding novel XSS vectors, for whatsoever browser
  • Testing XSS payloads on GET as well as POST parameters
  • Bypassing XSS Auditors inwards the browser
  • Bypassing spider web application firewalls
  • Exploiting HTML whitelist features
Example
In lodge to fuzz, it is required to exercise placeholders, for example:
  • The [TAG] placeholder alongside fuzzing list: img svg.
  • The [EVENT] placeholder alongside fuzzing list: onerror onload.
  • The [ATTR] placeholder alongside fuzzing list: src value.
  • The payloads volition utilization the mentioned placeholders, such as:
<[TAG] [ATTR]=Something [EVENT]=[SAVE_PAYLOAD] />
The [SAVE_PAYLOAD] placeholder volition hold out replaced alongside JavaScript code such equally alert(unescape('[PAYLOAD]'));.
This code is triggered when an XSS payload is successfully executed.
The consequence for the mentioned fuzzing lists as well as payload volition hold out the following:
When it is executed inwards a browser such equally Mozilla Firefox, it volition warning the executed payloads:

Sending requests
It is possible to utilization a page vulnerable to XSS for unlike tests, such equally bypasses for the browser XSS Auditor. The page tin lav have a GET or POST parameter called payload as well as volition only display its unescaped value.

 Website
Influenza A virus subtype H5N1 alive version tin lav hold out establish at https://xssfuzzer.com

Contact
The application is inwards beta acre as well as then it mightiness convey bugs. If yous would similar to study a põrnikas or render a suggestion, yous tin lav utilization the GitHub repository or yous tin lav ship me an electronic mail to contact [a] xssfuzzer.com.


Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us