XSStrike is a python which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs.
+ Python 2.7.x
+ colorama, mechanize python module.
After you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options
1. Fuzzer: It checks how the input gets reflected in the webpage and then tries to build a payload according to that.
2. Striker: It bruteforces all the parameters one by one and generates the proof of concept in a browser window.
3. Hulk: Hulk uses a different approach, it doesn’t care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.
XSStrike currently supports GET only but support for POST will be added soon. Unlike other stupid bruteforce programs, XSStrike has a small list of payloads but they are the best one.
git clone https://github.com/UltimateHackers/XSStrike && cd XSStrike
pip install -r requirements.txt
chmod +x xsstrike