xsssniper is an handy xss discovery tool with mass scanning functionalities. What it does is scanning target URL for GET parameters and then inject an XSS payload (Y) into them and parse the response for artifacts of the injection (Z).
The simplest example would be to inject <script type=”text/javascript”>window.alert(‘lol’)</script> and check for <script type=”text/javascript”>window.alert(‘lol’)</script>, if we have a match maybe we have just found an XSS. If no check is specified xssniper will consider payload and check the same.
If no payload is specified as well a special file will be parsed for common payloads (lib/payloads.xml, feel free to contribute!). Another useful feature is the ability to crawl the target URL for relative links. Every link found is added to the scan queue and processed, so it’s easier to test an entire website. In the end, this method is not fooled proof but it’s a good heuristic to mass find injection points and test escape strategies. Also since there is no browser emulation is your duty to manual test discovered injections against various browser’s xss protections.
