Is it really easy to solve or find XSS vulnerabilities?
Yes! if you have the right tool on your hand. XSSTROn is basically a chromium-looking browser with a smooth interface. You just have to browse websites and it will automatically detect and show if the website is vulnerable to XSS and if it is, then how to exploit it.
You must try XSSTron atleast once and if you are a beginner, you should definitely try this amazing tool.
Let’s see how XSSTron can be configured and used.
Installing and Configuring XSSTRON
- Download npm and nodejs from https://nodejs.org/en/download/ and install them.
- Download XSSTRON from https://github.com/RenwaX23/XSSTRON/archive/main.zip
- Open the extracted folder and press SHIFT+ RIGHT MOUSE KEY and open the PowerShell window.
- Now install NPM.
So now that we have installed all required dependencies, now its time to launch XSSTRON.
PS J:\Users\TheHawk\Downloads\XSSTRON-main\XSSTRON-main> npm start > [email protected] start J:\Users\TheHawk\Downloads\XSSTRON-main\XSSTRON-main > electron .
After applying ‘npm start‘ command on the PowerShell, it will launch the nice-looking, smooth Electron browser.
Finding XSS Vulnerability using XSSTRON
Now we need to find an XSS vulnerable target. We are testing a Lab from the Web security academy powered by Portswigger. You can get one by simply signing up on https://portswigger.net and head over to the ‘All labs’ section and choose an XSS lab.
We chose the ‘Reflected XSS into HTML context with nothing encoded‘.
- Start the lab, search for something on the search bar and copy the URL
- Paste it on the XSSTRON browser and press Enter.
So, we’ve found one! let’s see what we’ve got on the popup window.
The popup window is showing the tested payloads and also the payload that worked. Now copy the string and paste it on the ‘XSS lab’ search bar.
We have solved the lab.
That’s amazing! we passed the test.
Even if that was a simple XSS vulnerability, but still we got to know how useful the XSSTRON tool is. This is the thing in Ethical Hacking. Only knowledge is not enough, we must have the right tools with us.
The XSSTRON tool will be very useful for beginners and also for people who don’t like to use command-line interfaces.
What’s your opinion about XSSTRON? let us know in the comment box below.
|Haven't found the solution or are you having an unknown error? Join HackTalkForum.com to start a discussion or join a discussion on it.|