XanXSS : A Simple XSS Finding Tool, That Creates Payloads Based From Templates

XanXSS is a reflected XSS searching tool (DOM coming soon) that creates payloads based from templates. Unlike other XSS scanners that just run through a list of payloads. XanXSS tries to make the payload unidentifiable, for example:


  •     Ability to pass your own headers using -H
  •     Ability to generate a polyglot script using -P
  •     Ability to run behind a proxy using –proxy
  •     And many more


With XanXSS every payload is different. XanXSS works by running through the payloads until a specified number is found or a timer hits the max time, this prevents it from looping for to long. Some of the features included in XanXSS:

<ifrAmE&#13;Src= [2].Find(CoNfirm);= "JAVaScRIpT:proMpT(1))"javAscrIpt:/*--></scRIPt>
/>cLIcK&#13;Me!</b</TextaRea></TiTLE><BUTtON ONcLIck='aleRT(1);'/>XaNxss</TEXTaRea>

Proof of Concept

For this proof of concept we will use https://xss-game.appspot.com/level1/frame

[email protected]:~/bin/python/xanxss$ python xanxss.py -u "http://xss-game.appspot.com/level1/frame?query=" -a 12 -t 12 -f 25 -v 

Now lets check those scripts in the HTML of the website:




XanXSS comes complete with the ability to use a proxy, is compatible with proxychains, and allows you to add custom headers. I have provided a full list of options for your convience:

usage: xanxss.py [-h] [-u http://test.com/test.php?id=] [-a VERIFY]
                 [-f AMOUNT] [-t TIME] [-p SCRIPT, [SCRIPT, ...]]
                 [-F FILE-PATH] [-v] [--proxy TYPE://IP:PORT]
                 [-H HEADER=VALUE,HEADER:VALUE] [--throttle TIME secs] [-P]

optional arguments:
  -h, --help            show this help message and exit
  -u http://test.com/test.php?id=, --url http://test.com/test.php?id=
                        pass a URL to test for XSS vulnerabilities. it is
                        recommended that you use a URL with a query parameter
  -a VERIFY, --amount VERIFY
                        how many verifications steps to be taken, this will
                        determine how reliable the payload is. the more
                        verification steps the more reliable the payload will
                        be (*default=5)
  -f AMOUNT, --find AMOUNT
                        attempt to find this amount of working payloads,
                        specifying this does not guarantee you will find this
                        amount of working payloads (*default=25)
  -t TIME, --time TIME  amount of time in seconds to spend on testing, this
                        will be used as a timer for the verification
  -p SCRIPT, [SCRIPT, ...], --payloads SCRIPT, [SCRIPT, ...]
                        pass a comma separated list of your own payloads, must
                        contain at least 5 payloads
                        pass a textual file containing payloads one per line,
                        must contain at least 5 payloads
  -v, --verbose         run in verbose mode and display more output
  --proxy TYPE://IP:PORT
                        pass a proxy in the format type://ip:port
                        add your own custom headers to the request
  --throttle TIME (secs)
                        throttle each request with a sleep time (*default=0)
  -P, --polyglot        generate a polyglot script to append to the end of the
                        running scripts, if there is XSS this should find it

For test XXS: example- python xanxss.py -u “http://xss-game.appspot.com/level1/frame?query=” -a 12 -t 12 -f 25 -v


Share this article. Enjoy Learning..!! 

Leave a Reply