Issue: XXS Strike "No vectors were crafted."

Hi, I’m completing the skills assessment for XSS and I have to use XSStrike to find a payload for a text input field on a page. I have done this section before, so I know that it is possible, but I cannot get the payloads to actually be created. I had this same problem a few weeks ago when I tried this last, but I was able to get it working. I remember a made some small change and everything worked, but I’ve tried every possible variation of “comment=” I can think of. Do I have to specify the other fields as well? The --help doesn’t seem to show any flags that do that. Thanks for any help.

└─$ python3 xsstrike.py -u “http://:/assessment/index.php/2021/06/11/welcome-to-security-blog/?comment=test”

    XSStrike v3.1.5                                                                                                    

[~] Checking for DOM vulnerabilities
[+] Potentially vulnerable objects found

2 ( Element.prototype.matches && Element.prototype.closest && window.NodeList && NodeList.prototype.forEach ) || document.write( ‘</scr’ + ‘ipt>’ );
2 /(trident|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener(“hashchange”,(function(){var t,e=location.hash.substring(1);/[1]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a|select|input|button|textarea)$/i.test(t.tagName)||(t.tabIndex=-1),t.focus())}),!1);

[+] WAF Status: Offline
[!] Testing parameter: comment
[!] Reflections found: 1
[~] Analysing reflections
[~] Generating payloads
[-] No vectors were crafted.


  1. A-z0-9_- ↩︎

Hey! As far as I know xsstrike will not get you a flag on the XSS Skills Assessment. They mention the final exploitation is a session hijacking attack. And technically it is blind like the one in the module. When you submit the comment, you will notice that the page takes some time to process, which is essentially running the exploit you have crafted.

I haven’t delved deep into the use of xsstrike, but your post definitely got me interested in the possibility. However, it still doesn’t seem likely to work. The comment form is submitted to the server in a POST request so I would use the --data switch followed by the POST parameters like comment=. I tried it and it didn’t work.

You could also give the --crawl and --blind switches, but I think the best way to solve this is still the same way that was taught in the Session Hijacking module.

Definitely hit me up if you need help, or if you find a solution with xsstrike.
-onthesauce