theultimatederek/XSSProbe

GitHub: theultimatederek/XSSProbe

Stars: 1 | Forks: 0

# 🔍 XSSProbe — Web Vulnerability Scanner [![License](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) [![Python](https://img.shields.io/badge/Python-3.9%2B-blue?logo=python&logoColor=white)](https://www.python.org/) [![Security](https://img.shields.io/badge/Security-XSS%20Detection-red)](https://owasp.org/www-community/attacks/xss/) [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen)](https://github.com/YOUR_USERNAME/XSSProbe/pulls) [![Educational](https://img.shields.io/badge/Purpose-Educational-yellow)](https://github.com/YOUR_USERNAME/XSSProbe) ## ✨ Features - 🕷️ **Smart Crawler** — BFS crawl stays on same domain, collects all links and forms - 💉 **20 XSS Payloads** — basic, event-based, encoded, and filter-evasion vectors - 🔍 **Dual Injection** — tests both URL GET parameters and HTML form POST/GET fields - 📊 **Live Dashboard** — real-time stats (pages, tests, vulns, elapsed time) - 📋 **Live Log** — color-coded terminal output per request - ⚠️ **Vuln Inspector** — separate tab shows all vulnerabilities with payload + evidence - 📄 **3 Report Formats** — HTML (styled dark theme) + JSON + CSV - 🖥️ **GUI + CLI** — dark cyberpunk GUI for demos, CLI for automation - 🍪 **Cookie Auth** — pass session cookies to scan authenticated pages - 🎯 **Quick Targets** — one-click preset for DVWA, testphp.vulnweb.com ## 🚀 How to Run ### Prerequisites - Python 3.9+ - pip ### Installation # 1. Clone the repository git clone https://github.com/YOUR_USERNAME/XSSProbe.git cd XSSProbe # 2. Install dependencies pip install -r requirements.txt # 3a. Launch GUI python gui.py # 3b. OR use CLI python cli.py -u http://testphp.vulnweb.com -p 20 ### CLI Options python cli.py -u [options] -u, --url Target URL (required) -p, --pages Max pages to crawl (default: 10) -d, --delay Delay between requests in seconds (default: 0.3) -c, --cookie Session cookie string (e.g. PHPSESSID=abc123) -o, --output Output directory for reports (default: reports/) ## 🗂️ Project Structure XSSProbe/ │ ├── gui.py # GUI application (customtkinter dark theme) ├── cli.py # Command-line interface ├── scanner.py # Core scan engine (crawler + injector + analyzer) ├── reporter.py # HTML / JSON / CSV report generator ├── requirements.txt │ ├── reports/ # Generated scan reports (auto-created) │ ├── xss_report_TIMESTAMP.html │ ├── xss_report_TIMESTAMP.json │ └── xss_report_TIMESTAMP.csv │ └── README.md ## 🔬 How It Works Target URL entered ↓ Phase 1 — BFS Crawl → Collect all same-domain links → Discover URL parameters → Find all HTML forms (GET + POST) ↓ Phase 2 — Payload Injection → Inject each of 20 XSS payloads into every parameter → For forms: replace each input field with payload → Send GET/POST request with injected data ↓ Phase 3 — Reflection Analysis → Check if payload appears verbatim in response HTML → Check for partial reflection markers (onerror, onload, alert etc.) ↓ Phase 4 — Report Generation → Save vulnerable URL + parameter + payload + evidence → Generate HTML, JSON, CSV reports ## 💉 Payload Categories | Category | Example | |---|---| | Basic script | `` | | Event-based | `

` | | SVG vector | `