XSSCon – Simple and Powerful XSS Scanner tool
XSSCon tool is a Python-based tool that features a powerful XSS (Cross-Site Scripting) Scanner. XSS is the most common vulnerability, which is identified on almost every web-based application; you only have to find an input field where you can inject your malicious payload. Automation can reduce your manual work if there is enormous scope in your target domain. You can use this XSSCon tool while performing penetration testing of web-based applications, or you can also use this tool in Bug Bounty Programs for getting low-medium level bugs and earning lots of Bounty.
- XSSCon crawls all links in a target domain; it has a strong crawler engine in the same domain.
- XSSCon supports POST and GET types of Requests and Responses.
- XSSCon has many settings which you can easily customize.
- XSSCon is a fully automated tool.
Installation of XSSCon Tool in Kali Linux:
Step 1: First, you have to open your Kali Linux terminal and move to the desktop directory using the following command. On the desktop, we have to create a directory in which we will install the tool or clone the tool from GitHub.
Step 2: Now, we are on the desktop. We will create a new directory called XSSCon using the following command.
Step 3: You have created the directory XSSCon on the Desktop and move to that directory using the following command.
Step 4: Install the required package (bs4/beautifulsoap) using the following command.
pip3 install bs4
Step 5: Install the required package (requests) using the following command.
pip3 install requests
Step 6: Now you are under XSSCon directory. In this directory, you have to clone the XSSCon tool from GitHub. For cloning the tool, use the following command.
git clone https://github.com/menkrep1337/XSSCon
Step 7: Now, the tool has been cloned successfully to the XSSCon directory. Now list out all the contents of the tool using the following commands.
Step 8: You can see a new directory here. XSSCon created,now move to this directory using the following command.
Step 9: List out all the content of the directory using the following command.
Step 10: You have downloaded the tool, and now you have to give permission to the tool using the following command.
chmod 777 xsscon.py requirements.txt
Step 11: List out the content of the tool again to check permissions using the following command.
Step 12: Permission has been given to requirements also. Now install all the requirements using the following command.
Note : You can skip this step if you have installed the required packages from Step 4 and 5
pip3 install -r requirements.txt
Step 13: Check the help page of the tool to get a better understanding of tool usage.
python3 xsscon.py --help
Working with XSSCon
The tool has been downloaded successfully. Using this tool, you can easily check the cross-site scripting vulnerabilities of the websites and webapps. Now here are some examples of using the XSSCon tool.
python3 xsscon.py -u http://testphp.vulnweb.com
The XSSCon tool has started checking cross-site scripting vulnerabilities. These are the vulnerabilities that the tool has detected. The tool keeps checking the website again and again. When finding a vulnerable website, it will show you at the terminal.
Now, you can see the payload injected by XSSCon is actually working if we open the link in a web browser. The Popup comes when we hit the malicious link.