Categories: Kali Linux

Femida : Automated blind-XSS Search For Burp Suite

Femida is automated blind-xss search plugin for Burp Suite.

Installation

Git clone https://github.com/wish-i-was/femida.git 
Burp -> Extender -> Add -> find and select blind-xss.py

Also Read – IoT Implant : Toolkit For Implant Attack Of IoT Devices

How to use?

Settings

First of all you need to setup your callback URL in field called “Your url” and press Enter to automatically save it inside config.py file.

After you set it up you need to fill Payloads table with your OOB-XSS vectors, so extension will be able to inject your payloads into outgoing requests.

Pay attantion that you need to set {URL} alias inside your payload, so the extension will be able to get data from “Your url” field and set it directly to your payload.

Behaviours

Femida is Random Driven Extension, so every payload with “1” inside row “Active” will be randomly used during your active or passive scanning. So if you want exclude any payload or parameter/header from testing just change the “Active” value to 0.

Payloads

  • Add your payloads to the table using Upload or Add button.
  • DO NOT FORGET about {URL} parameter in your payloads.
  • When you add any data into tables, Active row will be manualy equal 1. (mean it’s active now)
  • If you want to make it inactive – set Active row to 0

Headers & Parameters

  • You can add data manualy using Add button or in Target/Proxy/Repeater with right-click.
  • Do not forget, taht headers and parameters are case insensitive.
  • If you want to make it inactive – set Active row to 0.

Usage

Extension is able to perform both active and passive checks.

After all is setup you can start using extension. First case is passive checks, so we will cover this process now:

  • Press button “Run proxy”, while it’s active extension is looking for configured parameters and headers. After successful find it’s put payload into it. If you are find some troubles during your testing (WAF or Errors or etc.) you can turn on button “Parallel Request” so all requests with a payload will be sent in a background as a duplicate requests with payloads, but your main session will be clear so you will be able to check that everything is correct just by monitoring debug log.
Download
R K

Share
Published by
R K
7 years ago

Recent Posts

Best OSINT Tools for Journalists 2026: Verify Sources, Images and Claims

Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…

9 hours ago

Install Docker on Ubuntu 20.04: Complete Step-by-Step Guide

Docker is an open-source platform that lets you package and run applications inside containers. Each container…

19 hours ago

Install PostgreSQL on Ubuntu: Database Setup and Admin Guide

PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…

20 hours ago

Install Xrdp Remote Desktop on Ubuntu: Setup and Connect

Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…

20 hours ago

Tomcat 9 on Ubuntu 20.04: Install, Configure, and Start

Apache Tomcat is an open-source web server and Java servlet container. It is one of the…

20 hours ago

Automatic Updates on Ubuntu: Set Up unattended-upgrades

Keeping your Ubuntu system updated is one of the best ways to protect it. Security…

22 hours ago