This tool really helpful and time saving. it’s just give us a hint of weakness points in the CSP So that we can move forward to focus of this weakness to get an xss. ppl really dont even wanna read about the tool to understand what’s the tool purpose and what’s doing for us to use it correctly.
Hi, can this tool be used on Web3 sites also to find XSS? Because I’ve literally tried testing for XSS with other tools in web3 websites(that’s the Frontend part not the smart contract part) and it seems not to work or bypass whatever cloudfare WAF that has been put in place
I was testing a web app and I injected a simple XSS alert(); but after reading the source, i noticed that the dangerous character were swapped with HTML escape character, for example "
Generally they are considered to be safe! However there are certain scenarios where we can still get xss if the mitigation is weak or if it the value is reflecting in some interesting areas( like within a js code etc)
Normally people already know what is xss-dom-reflected...etc...Please next time go straight to the point/pentest to the live target. Thanks for the video,keep it up
Hey you did not specify the "title" parameter, how did the tool show that parameter is vulnerable without you specifying the parameter in the syntax? did it check other parameters that are there in the url already or am i missing something?
@@BePracticalTech you are created you own server and add the path where you setup the T.txt file . Instead we also do like same thing in blind xss payload also . Like
He want to say like he gives his blind xss payload and then check for xss but it doesn't make any sense he can try manually also for blind xss @@BePracticalTech
@@Max-mz3is As I have mentioned in the video, this tool is not your typical xss automation tool. It is more like fuzzing the xss payload's components like tags, events etc However, if you want to automate xss with this tool then you can use the xss payloads file and it will work without any issues. I would suggest you to watch the whole video and understand how to use this tool
![I.N "HALLUCINATION" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/n5B5q1Hwt_U/mqdefault.jpg)
xssFuzz: github.com/Asperis-Security/xssFuzz/
This tool really helpful and time saving. it’s just give us a hint of weakness points in the CSP So that we can move forward to focus of this weakness to get an xss. ppl really dont even wanna read about the tool to understand what’s the tool purpose and what’s doing for us to use it correctly.
Amazing! I really enjoyed the whole video and took notes. I will be using this tool soon. Keep doing the great work :)
Really glad that you liked the video, Thanks for the support!!
I love the way you teach and also use real website for it ❤
Thanks you so much i really enjoy watching your videos keep it up
finally found a video where the youtuber is not saying to test out random payloads
Great! 👍 Got to learn new technique
I am glad!
Very good" More videos on xss stored.
nice video... thank you very much
Form your video I learn new thing osm
Glad to hear that
This is like generation base fuzzing. But its not enough to break sanitizer waf. You can add more mutation strategies.
We'll release more new features in the upcoming versions
Hi, can this tool be used on Web3 sites also to find XSS?
Because I’ve literally tried testing for XSS with other tools in web3 websites(that’s the Frontend part not the smart contract part) and it seems not to work or bypass whatever cloudfare WAF that has been put in place
Make a video on dom base xss please
great content
I was testing a web app and I injected a simple XSS alert(); but after reading the source, i noticed that the dangerous character were swapped with HTML escape character, for example "
Generally they are considered to be safe! However there are certain scenarios where we can still get xss if the mitigation is weak or if it the value is reflecting in some interesting areas( like within a js code etc)
Normally people already know what is xss-dom-reflected...etc...Please next time go straight to the point/pentest to the live target. Thanks for the video,keep it up
Hey you did not specify the "title" parameter, how did the tool show that parameter is vulnerable without you specifying the parameter in the syntax? did it check other parameters that are there in the url already or am i missing something?
Exactly, it will check all the parameters and then start testing the one which is not handling the dangerous chars properly
can you give me that index code that you have used to execute xss
❤❤❤❤ love u bhai
is it possible to test multiple urls at a time, kindly suggest
@@musabsk I believe Asperis Security will release this feature in the next version!
can u rcm me the book or course tutorial for ctf web exploit
Should we do it by giving blind xss payload also
Please elaborate
@@BePracticalTech you are created you own server and add the path where you setup the T.txt file . Instead we also do like same thing in blind xss payload also . Like
He want to say like he gives his blind xss payload and then check for xss but it doesn't make any sense he can try manually also for blind xss @@BePracticalTech
bro can u please forward me that test folder
Sir which vps u r using?
Contabo
It accept payload like: ">alert(1) ???
Yes
First 🥇
give you xss payloads
@@lakshaygamerlt4032 There are cusom payloads already present in the tool
this tool doesn't work and not reliable at all try to run it against testphp it doesn't come up with basic xss such crap
@@Max-mz3is As I have mentioned in the video, this tool is not your typical xss automation tool. It is more like fuzzing the xss payload's components like tags, events etc
However, if you want to automate xss with this tool then you can use the xss payloads file and it will work without any issues.
I would suggest you to watch the whole video and understand how to use this tool