Ir al contenido principal

How to test your application for XSS vulnerabilities using XSStrike

When testing an application for XSS vulnerabilities it can be sometimes hard to come up with a successful attack and test multiple alternatives. You can use an app like XSStrike to automate this, in this quick tips episode, you will learn how. Above is the vid and below you will find some useful notes.
  1. 1.

    Pre-reqs

    • Have node.js installed for the sample app
    • Have Docker installed
  2. 2.

    Using XSStrike

    • Create the dockerfile with xsstrike
      FROM continuumio/anaconda3
      
      WORKDIR /workdir
      
      RUN apt-get install -y unzip
      
      ADD https://github.com/s0md3v/XSStrike/archive/master.zip ./
      
      RUN unzip master.zip && \
          rm master.zip
      
      RUN conda config --append channels conda-forge && \
          conda install fuzzywuzzy requests
      
      ENTRYPOINT ["python", "./XSStrike-master/xsstrike.py"]
      
    • Build the image
      docker build -t xsstrike .
      
    • Run xsstrike to check options
      docker run -it --rm --name xsstrike xsstrike
      
      Run xsstrike to test against the vulnerable app from the video
      docker run -it --rm --name xsstrike xsstrike -u "http://192.168.99.1:3000/?name=testing"
      
  3. 3.

Comentarios