XSpear – Powerfull XSS Scanning and Parameter Analysis Tool

XSpear is XSS Scanner on ruby gems. Cross site scripting vulnerabilities are very common on web application and they are usually exploited by attacker to execute a malicious code into victim web browser. the interaction between victim and website may lead to get sensitive information.

XSS is listed on the third place in the ranking of key risks of Web applications according to OWASP 2013. For a long time, application developers and programmers are not giving this type of vulnerability attention, considering them not critical. However, this is a wrong as on major website within the web request or in the HTTP cookie there can be very sensitive data (for example, administrator session identifier or credit card payment numbers) , XSS vulnerability can be affecting Website or user browser that is not patched. in order to scan and identify XSS you can use XSpear.

XSpear - Powerfull XSS Scanning and Parameter Analysis Tool
XSpear – Powerfull XSS Scanning and Parameter Analysis Tool

Key features for this scanner is:

  • Pattern matching based XSS scanning
  • Detect alert confirm prompt event on headless browser (with Selenium)
  • Testing request/response for XSS protection bypass and reflected params
    • Reflected Params
    • Filtered test event handler HTML tag Special Char Useful code
  • Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test…)
  • Dynamic/Static Analysis
    • Find SQL Error pattern
    • Analysis Security headers(CSP HSTS X-frame-options, XSS-protection etc.. )
    • Analysis Other headers..(Server version, Content-Type, etc…)
  • Scanning from Raw file(Burp suite, ZAP Request)
  • XSpear running on ruby code(with Gem library)
  • Show table base cli-report and filtered rule, testing raw query(url)
  • Testing at selected parameters
  • Support output format cli json
    • cli: summary, filtered rule(params), Raw Query
  • Support Verbose level (quit / nomal / raw data)
  • Support custom callback code to any test various attack vectors

You can read more and download this tool over here: https://github.com/hahwul/XSpear

Notify of
Inline Feedbacks
View all comments