The first step is to gather all URLs for the target domain and filter out reflected and unfiltered special characters parameters using a single one-liner command that combines multiple tools.<\/p>\n\n\n\n
echo example.com | gau | gf xss | uro | Gxss | kxss | tee xss_output.txt<\/code><\/code><\/pre>\n\n\n\n\n- GAU:<\/strong>\u00a0fetches old URLs from passive sources like WaybackURLs, AlienVault, Common Crawl and URLscan.<\/li>\n\n\n\n
- GF pattern:<\/strong>\u00a0filters for URLs with parameters often vulnerable to XSS<\/li>\n\n\n\n
- URO:<\/strong>\u00a0removes duplicate URLs so only unique entries remain.<\/li>\n\n\n\n
- Gxss:<\/strong>\u00a0checks for URLs with parameters which reflect in the response.<\/li>\n\n\n\n
- Kxss:<\/strong>\u00a0identifies URLs with unfiltered special characters useful for XSS execution<\/li>\n\n\n\n
- tee:<\/strong>\u00a0saves output to a file and displays it on the screen simultaneously.<\/li>\n<\/ul>\n\n\n\n
After running this command, you\u2019ll see all URLs with reflected parameters that contain unfiltered characters commonly used in XSS payloads.
<\/p>\n\n\n\n
The following oneliner adds a content-type filter for HTML, XML, and SVG, removing images, JSON and other noise so your scans checks focus on endpoints where XSS or iframe\/HTML-injection payloads can execute.<\/p>\n\n\n\n
echo https:\/\/domain.com | gau | gf xss | httpx -ct -silent -nc | grep -i -E \"text\/html|application\/xhtml+xml|application\/xml|text\/xml|image\/svg+xml|application\/html|application\/xml\" | cut -d '[' -f 1 | Gxss | kxss<\/code><\/pre>\n\n\n\nAfter opening\u00a0xss_output.txt<\/strong>, you\u2019ll see the raw results, but they include some noisy entries. To improve this, run the command below.<\/p>\n\n\n\ncat xss_output.txt | grep -oP '^URL: \\K\\S+' | sed 's\/=.*\/=\/' | sort -u > final.txt<\/code><\/pre>\n\n\n\nWhat this command does: it grabs just the URLs, strips off the parameter values (so page.php?id=123 becomes page.php?id=), sorts everything, and removes duplicates. The tidy list ends up in final.txt.<\/p>\n\n\n\n
\nAt this point you know the vulnerable urls. Do manual inspection or continue as below<\/p>\n<\/blockquote>\n\n\n\n
Use the\u00a0Loxs<\/strong>\u00a0tool to automate the verification and reporting steps.<\/p>\n\n\n\n\n- Move the final.txt file into your Loxs tool directory.<\/li>\n\n\n\n
- Run the tool and select option 4 for XSS scanning.<\/li>\n\n\n\n
- When prompted, provide the path to your target list (final.txt) and a file containing your desired XSS payloads.<\/li>\n<\/ol>\n\n\n\n
Now\u00a0Loxs<\/strong>\u00a0will go through each URL and test all payloads one by one. If it finds any XSS, it will print the confirmed vulnerable URL in the terminal. Copy any of those links into a browser to reproduce and confirm the XSS popup. Let the scan finish and it will generate a neat HTML report summarizing all findings.<\/p>\n\n\n\n