For Developers

A thorough explanation of different modules and the overall work flow.

documentation is in progress, check back later

Modules

config.py

This file holds various variables that are used throughout the code.
Here's a comprehensive list of all the variables:

• changes: It contains the changelog to be displayed when a user checks for update.
• xsschecker: This non malicious string is used as a probe to detect reflection contexts.
• minEfficiency: Payloads with efficiency lower than this value will not be displayed to the user.
• delay: Default delay between requests.
• threadCount: Default number of threads.
• timeout: Default HTTP request timeout.
• specialAttributes: HTML tag attributes that need to be treated specially because of their nature.
• badTags: HTML tags which need to be broken out of as the code within them is not evaluated by browsers.
• tags: Tags to be used while generating payloads.
• jsFillings: Characters that can be used around a JS function call without breaking the syntax.
• lFillings: Characters that can be used before > in a HTML tag.
• eFillings: Characters that can be used between = and JavaScript function or event handler.
• fillings: Strings that can be used instead of space
• eventHandlers: Event handlers and the tags compatible with them to be used while generating payloads
• functions: JavaScript functions that server as POC of the payload
• payloads: Payloads for filter and WAF evasion
• fuzzes: Strings to be sent while fuzzing a target
• headers: Default headers to be sent
• blindParams: List of common parameter names for parameter discovery

colors.py

It contains ANSI escape sequences which produce colored output.

requester.py

XSStrike makes all the HTTP requests with this module. It accepts following self explanatory parameters:
url, data, headers, GET, delay, timeout

htmlParser.py

It parses the response of the target webpage and figures out the following things:

• Context: Contexts where the input is getting reflected. It can be html, attribute, script or comment
• Breaker: Breaker is the term given to a string which should be used for breaking out of the string.
• Attribute: The attribute name in case of attribute context.
• Tag The tag name in case of attribute context.

jsContexter.py

It is a javascript parser which returns a string which can be used to break out of the context.

checker.py

Whenever XSStrike needs to inject a string and observe the response, this module is called. It stores the positions of the reflections when first contact is made to the target for parsing and then uses those positions to locate the reflections in all the injections afterwards. The injected string and the reflected strings are compared by using Levenshtein distance and it returns how much similar both strings are. The value ranges from 0-100 and is called efficiency of the injected string i.e. payload.

filterChecker.py

It checks all the special characters to be used while generating a payload to see if they are getting escaped or not. It uses checker.py for this purpose.

generator.py

This is the payload engine, it analyses the information returned by htmlParser.py and filterChecker.py to see if any payload scheme can work in those conditions.
It should be noted that, it assign an attribute named confidence to each payload group which represents how much confidence developer has on that payload group. It varies from 0-10, higher the better.

wafDetector.py

As the name suggests, it detects most common WAFs by checking headers, status code and response.

utils.py

It is a collection of small utility functions that are used throughout the code.