FinDOM-XSS – Fast DOM Based XSS Vulnerability Scanner

DOM XSS stands for Document Object Model-based Cross-site Scripting. DOM-based vulnerabilities occur within the content processing stage performed on the client, typically in client-side JavaScript. In a DOM-based XSS attack, the malicious string is not parsed by the victim’s browser until the website’s authentic JavaScript is executed. 

To perform a DOM-based XSS attack, you would like to store data into an origin in order that it’s delivered to a sink and causes the execution of arbitrary JavaScript code. FinDOM-XSS is an automatic tool developed within the Shell Script which aims to seek out the possible and/ potential DOM-based XSS vulnerability in a fast manner. FinDOM-XSS tool is available on GitHub, it’s free and open-source. This tool works with a single target as well as multiple targets at the same time.

Installation of FinDOM-XSS Tool in Kali Linux OS

Step 1: Use the following command to install the tool in your Kali Linux operating system.

git clone https://github.com/dwisiswant0/findom-xss.git

Step 2: Now use the following command to move into the directory of the tool. You have to move in the directory in order to run the tool.

cd findom-xss

Step 3: List the contents of the directory

ls

Step 4: Now use the following command to run the tool.

./findom-xss.sh

Working with FinDOM-XSS Tool in Kali Linux OS

Example 1: Run the tool on a target

./findom-xss.sh http://geeksforgeeks.org

In this example, we are running the tool against the domain http://geeksforgeeks.org.

We have got the potential DOM on http://geeksforgeeks.org through which XSS can be executed.

Results are saved in the text file:

Example 2: Run the tool against Multiple targets

cat urls.txt | ./findom-xss.sh

In this example, we are running the tool against multiple targets which are saved in the urls.txt file.

We have got potential DOM on http://geeksforgeeks.org.

We have got potential DOM on http://bugcrowd.com.

No Potential DOM is been detected on http://facebook.com.