Sign in to follow this  
0x1

Traxss

Recommended Posts

Automated Vulnerability Scanner for XSS | Written in Python3 | Utilizes Selenium Headless

Hidden Content

    Give reaction to this post to see the hidden content.

Traxss is a Hacktoberfest Project! If you are looking for a place to make contribute, please feel free.

Traxss is an automated framework to scan URLs and webpages for XSS Vulnerabilities. It includes over 575 Payloads to test with and multiple options for robustness of tests. View the gif above to see a preview of the fastest type of scan.

Getting Started

Prerequisites

Traxss depends on Chromedriver. On MacOS this can be installed with the homebrew command:

Hidden Content

    Give reaction to this post to see the hidden content.

Installation

Run the command:

Hidden Content

    Give reaction to this post to see the hidden content.

Running Traxss

Traxx can be started with the command:

Hidden Content

    Give reaction to this post to see the hidden content.

This will launch an interactive CLI to guide you through the process.

Types of Scans

Full Scan w/ HTML

Uses a query scan with 575+ payloads and attempts to find XSS vulnerabilities by passing parameters through the URL. It will also render the HTML and attempt to find manual XSS Vulnerablities (this feature is still in beta).

Full Scan w/o HTML

This scan will run the query scan only.

Fast Scan w/ HTML

This scan is the same as the full w/ HTML but it will only use 7 attack vectors rather than the 575+ vectors.

Fast Scan w/o HTML

This scan is the same as the fast w/o HTML but it will only use 7 attack vectors rather than the 575+ vectors.

 

More info && Download

Hidden Content

    Give reaction to this post to see the hidden content.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Similar Content

    • By 0x1
      Firefox Extension of HackBar without license

      Hidden Content
      Give reaction to this post to see the hidden content. A HackBar for new firefox (Firefox Quantum). This addon is written in webextension and alternatives to the XUL version of original Hackbar.
      How to use
      Press F12 to open hackbar Feature
      Load, split, execute url from address bar. Custom/add referrer url, User Agent, cookie. Tools: md5, sha1, sha256, rot13 encryption, url, base64 encoding, beautifier json data, sql, xss features. Shortcut
      Ctrl + Enter to execute FOREVER FREE
      Download && Code Source

      Hidden Content
      Give reaction to this post to see the hidden content.
    • By 0x1
      A ready to use JSONP endpoints to help bypass content security policy of different websites.

      Hidden Content
      Give reaction to this post to see the hidden content. The tool was presented during HackIT 2018 in Kiev. The presentation can be found Here

      Hidden Content
      Give reaction to this post to see the hidden content. What is JSONBee ?
      The main idea behind this tool is to find the JSONP endpoint(s) that would help you bypass content security policy for your target website in an automated way. JSONBee takes an input of a url name (i.e. https://www.facebook[.]com), parses the CSP (Content-Security-Policy), and automatically suggest the XSS payload that would bypass the CSP. It mainly focuses on JSONP endpoints gathered during my bug bounty hunting activities, and could be used to bypass the CSP.
      JSONBee relies on 3 methods to gather the JSONP endpoints:
      The repository within this project; Google dorks; Internet archive (archive[.]org). The tool is not yet fully completed as I'm still adding some validations and features too. However, the repository will be hosted here so that anyone can use it till the tool is ready.
      The repo contains ready-to-use payloads that can bypass CSP for Facebook[.]com, Google[.]com and more.

      Hidden Content
      Give reaction to this post to see the hidden content. Bypasing Facebook.com Content-Security policy:
      Facebook.com allows *.google[.]com in its CSP policy (script-src directive), thus, below payload would work like a charm to execute JavaScript on Facebook[.]com:
      Hidden Content
      Give reaction to this post to see the hidden content. If you came across a website that trusts any of the domains in jsonp.txt file in its script-src directive, then pickup a payload  that matches the domain and have fun 🙂
      How can you help?
      You are all welcome to contribute by adding links to sites that uses JSONP endpoins/callbacks to make the repo bigger and more usefull for bug hunters, pentesters, and security researchers.
      Download

      Hidden Content
      Give reaction to this post to see the hidden content.
    • By dEEpEst
      Traxss
      Automated Vulnerability Scanner for XSS | Written in Python3 | Utilizes Selenium Headless


      Hidden Content
      Give reaction to this post to see the hidden content. DEMO
      Background
      Traxss is a Hacktoberfest Project! If you are looking for a place to make contribute, please feel free.
      Traxss is an automated framework to scan URLs and webpages for XSS Vulnerabilities. It includes over 575 Payloads to test with and multiple options for robustness of tests. View the gif above to see a preview of the fastest type of scan.
      Download:
      Hidden Content
      Give reaction to this post to see the hidden content.
    • By 1337day-Exploits
      WiKID Systems 2FA Enterprise Server version 4.2.0-b2032 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

      Hidden Content
      Give reaction to this post to see the hidden content.
    • By itsMe

      Hidden Content
      Give reaction to this post to see the hidden content. Automated Vulnerability Scanner for XSS | Written in Python3 | Utilizes Selenium Headless
      Traxss is a Hacktoberfest Project! If you are looking for a place to make contribute, please feel free.
      Traxss is an automated framework to scan URLs and webpages for XSS Vulnerabilities. It includes over 575 Payloads to test with and multiple options for robustness of tests. View the gif above to see a preview of the fastest type of scan.


      Hidden Content
      Give reaction to this post to see the hidden content.