/knoxsser

A powerful bash script for massive XSS scanning leveraging Brute Logic's KNOXSS API

Primary LanguageShellMIT LicenseMIT

KNOXSSer v1.6

An powerful bash script for massive XSS scanning leveraging Brute Logic's KNOXSS API

made-with-bash Maintenance MIT license PRs Welcome Latest release Open Source Love svg1

image

Installation

curl -sSL https://raw.githubusercontent.com/0xPugal/knoxsser/master/knoxsser.sh -o knoxsser.sh && chmod +x knoxsser.sh && sudo mv knoxsser.sh /usr/bin/knoxsser

Prerequisites

jq and parallel must be installed in your system to run this tool

  • Debian based Distros - sudo apt install -y curl jq parallel
  • RedHat based Distros - dnf install curl jq parallel
  • Arch based Distros - pacman -S curl jq parallel
  • Mac OS - brew install jq parallel

Configure your knoxss api key in line 36 of knoxsser or pass the API key with -A argument.

Notify must be installed on your system, to send notifications on sucessful xss.(optional)

Help

Options:
  -i, --input     Input file containing URLs or single URL to scan
  -o, --output    Output file to save XSS results (default: xss.txt)
  -A, --api       API key for Knoxss
  -s, --silent    Print only results without displaying the banner and target count
  -n, --notify    Send notifications on successful XSSes via notify
  -p, --process   Number of URLs to scan parallely(1-5) (default: 3)
  -r, --retry     Number of times to retry on target connection issues and can't finish scans"
  -v, --version   Display the version and exit
  -V, --verbose   Enable verbose output
  -h, --help      Display this help message and exit

Features

  • Enables scanning of both single URLs and files containing multiple URLs
  • Unscanned / Remaining URLs and URLs that encountered errors are saved in a <input>+date-time.todo file, providing a record of URLs not successfully scanned along with a timestamp.
  • Ability to stop the scan and save the remaining URLs in a <input>+date-time.todo file.
  • Successful XSS results are saved by default in xss.txt, with their full JSON responses, and error.log file for further investigation for Unknown Errors.
  • Ability to retry the scan, if any error like Connection issues or can't able to scan by knoxss
  • Prints the API calls number along with the scanning process.
  • Send notifications on successful XSSes through notify
  • Parallel scans options for faster scan completion
  • Verbose option functionality for printing response from knoxss api in the terminal

Usage

# All in one
  knoxsser -i input.txt -p 3 -n -V -r 2 -o knoxss.txt

# Single URL scan
  knoxsser --input https://brutelogic.com.br/xss.php?a=1

# Scan a list of URLs
  knoxsser --input urls.txt

# Send the notification on successful xss through notify
  knoxsser --input input.txt --notify

# Verbose option functionality
  knoxsser --input input.txt --verbose

# Parallel scan process
  knoxsser --input input.txt --process 3

ToDo

  • Allow knoxsser to read input from stdin
  • Stop the scan on Invalid or Expired API Key and API rate limit exceeded and save the urls in <input>-date-time.todo file

Credits

Caution

⚠️ Disclaimer: I am not responsible for any use, and especially misuse, of this tool or the KNOXSS API