Hi, I’m completing the skills assessment for XSS and I have to use XSStrike to find a payload for a text input field on a page. I have done this section before, so I know that it is possible, but I cannot get the payloads to actually be created. I had this same problem a few weeks ago when I tried this last, but I was able to get it working. I remember a made some small change and everything worked, but I’ve tried every possible variation of “comment=” I can think of. Do I have to specify the other fields as well? The --help doesn’t seem to show any flags that do that. Thanks for any help.
└─$ python3 xsstrike.py -u “http://:/assessment/index.php/2021/06/11/welcome-to-security-blog/?comment=test”
XSStrike v3.1.5
[~] Checking for DOM vulnerabilities
[+] Potentially vulnerable objects found
2 ( Element.prototype.matches && Element.prototype.closest && window.NodeList && NodeList.prototype.forEach ) || document.write( ‘</scr’ + ‘ipt>’ );
2 /(trident|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener(“hashchange”,(function(){var t,e=location.hash.substring(1);/[1]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a|select|input|button|textarea)$/i.test(t.tagName)||(t.tabIndex=-1),t.focus())}),!1);
[+] WAF Status: Offline
[!] Testing parameter: comment
[!] Reflections found: 1
[~] Analysing reflections
[~] Generating payloads
[-] No vectors were crafted.
-
A-z0-9_- ↩︎