Automated XSS Detection scanner for pentesting

3 min readAug 5, 2024

In the ever-evolving landscape of web security, Cross-Site Scripting (XSS) remains a persistent threat. As websites grow more complex, manually testing for XSS vulnerabilities becomes increasingly challenging. Today, we’ll explore a powerful Bash script that automates the process of detecting XSS vulnerabilities across an entire domain and its subdomains.

## The Challenge

Manual XSS testing is time-consuming and prone to human error. When dealing with large websites or applications, it’s easy to miss potential vulnerabilities. Moreover, keeping track of all subdomains and historical URLs can be a daunting task. This is where automation comes to the rescue.

## The Solution

Our Bash script combines three powerful tools — subfinder, waybackurls, and dalfox — to create an automated XSS vulnerability scanner. Let’s break down how it works and then see it in action.

## How It Works

1. **Subdomain Enumeration**: Using `subfinder`, the script discovers all subdomains of the target domain.
2. **Historical URL Discovery**: `waybackurls` fetches archived URLs for all discovered subdomains.
3. **XSS Scanning**: `dalfox` analyzes all collected URLs for potential XSS vulnerabilities.

## The Script

#!/bin/bash

# Check if all required commands are installed
for cmd in subfinder waybackurls dalfox go; do
    if ! command -v $cmd &> /dev/null; then
        echo "$cmd is not installed. Please install it before running this script."
        exit 1
    fi
done

# Check if a target domain was provided as an argument
if [ -z "$1" ]; then
    echo "Usage: $0 <target_domain> [X-Hackerone header value]"
    exit 1
fi

TARGET=$1
HEADER=""

# Check if X-Hackerone header value is provided
if [ ! -z "$2" ]; then
    HEADER="--header \"X-Hackerone: $2\""
fi

# Create a directory for output files
OUTPUT_DIR="xss_scan_results_${TARGET}_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"

echo "Starting XSS vulnerability scan for $TARGET"

# Find subdomains and save them to a file
echo "Finding subdomains..."
subfinder -d "$TARGET" -silent | tee "$OUTPUT_DIR/domains.txt"

# Use waybackurls to get archived URLs and save them to a file
echo "Fetching archived URLs..."
cat "$OUTPUT_DIR/domains.txt" | waybackurls | sort -u | tee "$OUTPUT_DIR/waybackurls.txt"

# Analyze URLs for XSS vulnerabilities with dalfox
echo "Scanning for XSS vulnerabilities..."
if [ -z "$HEADER" ]; then
    cat "$OUTPUT_DIR/waybackurls.txt" | dalfox pipe --silence --output "$OUTPUT_DIR/xss_vulnerabilities.txt"
else
    cat "$OUTPUT_DIR/waybackurls.txt" | dalfox pipe --silence $HEADER --output "$OUTPUT_DIR/xss_vulnerabilities.txt"
fi

# Add target name to the report
echo "Target: $TARGET" | cat - "$OUTPUT_DIR/xss_vulnerabilities.txt" > temp && mv temp "$OUTPUT_DIR/xss_vulnerabilities.txt"

echo "Scan complete. Results saved in $OUTPUT_DIR/xss_vulnerabilities.txt"

Running the Script

Let’s test our script against an intentionally vulnerable website: http://testphp.vulnweb.com/

./xss_scanner.sh testphp.vulnweb.com

Understanding the Output

The script creates a timestamped directory containing:

domains.txt: List of discovered subdomains
waybackurls.txt: All historical URLs found
xss_vulnerabilities.txt: Detailed report of potential XSS vulnerabilities

Analyzing the Results

After running the script on testphp.vulnweb.com, we found several potential XSS vulnerabilities. Here are a few examples:

These URLs allow user input that isn’t properly sanitized, potentially allowing an attacker to inject malicious scripts.

Benefits of This Approach

Comprehensive: Scans subdomains and historical URLs for a thorough analysis.
Time-Efficient: Automates a process that would take hours or days manually.
Customizable: Easily modify the script to add more tools or change the scanning parameters.

Ethical Considerations

Remember, always obtain proper authorization before scanning any website or application you don’t own. This tool should only be used for ethical security testing and bug bounty programs where explicitly permitted.

Conclusion

Automating XSS vulnerability detection can significantly improve your web application security testing process. By combining powerful tools like subfinder, waybackurls, and dalfox, we’ve created a script that can quickly identify potential vulnerabilities across an entire domain.

As web applications grow more complex, tools like this become essential for maintaining security. However, always remember that automated tools are just the first step. Manual verification and secure coding practices are crucial for truly robust web security.

Happy hunting, and stay secure!

For more cybersecurity insights and updates, follow me on Twitter @willfromswiss.