This script automates the process of gathering potential XSS URLs and testing them using XSStrike.
- Make sure
gau,gf, andXSStrikeare installed and properly configured. - Customize the
encoded_payloads.txtfile to include your desired payloads for more effective testing. - Run the script by replacing
<domain>with your target domain.
#!/bin/bash
# Step 1: Gather URLs that are potential XSS candidates
gau <domain> | gf xss | sort -u | tee Possible_xss.txt
# Step 2: Read each URL and test it with XSStrike
while IFS= read -r url; do
echo "Testing URL: $url"
python3 /home/kali/XSStrike/xsstrike.py -u "$url" --delay 1 -f /home/kali/encoded_payloads.txt
done < /home/kali/Possible_xss.txt
gau <domain> | gf xss | sort -u | tee Possible_xss.txt
gau <domain>: Uses the gau tool to fetch URLs for the specified domain.
gf xss: Filters the URLs using the gf tool for potential XSS vulnerabilities.
sort -u: Sorts the URLs and removes duplicates.
tee Possible_xss.txt: Saves the filtered URLs to Possible_xss.txt and prints them to the terminal.
while IFS= read -r url; do
echo "Testing URL: $url"
python3 /home/kali/XSStrike/xsstrike.py -u "$url" --delay 1 -f /home/kali/encoded_payloads.txt
done < /home/kali/Possible_xss.txt
while IFS= read -r url: Reads each URL from Possible_xss.txt.
echo "Testing URL: $url": Prints the URL being tested.
python3 /home/kali/XSStrike/xsstrike.py -u "$url" --delay 1 -f /home/kali/encoded_payloads.txt: Runs XSStrike on the URL with a delay of 1 second between requests, using payloads from encoded_payloads.txt.
Additional Tips
Ensure gau, gf, and XSStrike are installed and properly configured on your system.
Customize the encoded_payloads.txt file to include your desired payloads for more effective testing.
This script will help you automate the process of testing multiple URLs for XSS vulnerabilities using XSStrike.