Usage of Kxss Tool in Kali Linux

In this section, we will see the practical usage of the Kxss tool on testing websites.

Example 1: Target – “http://testasp.vulnweb.com/Search.asp?tfSearch=ok”

Execute the below command in the terminal. This will find the unfiltered parameters on the target website and turn the results on the terminal itself.

echo "http://testasp.vulnweb.com/Search.asp?tfSearch=ok" | kxss

Now we can pass the malicious payload in the parameter and paste the URL into the browser. In the below screenshot, you can see that we have executed the malicious payload by inserting the script in the parameter as it was unfiltered.

Example 2: Target – “http://www.xss-game.appspot.com/level1/frame?query=hello”

In this example, we will test one more target-testing web application. We are running the Kxss tool against the target application to find the unfiltered parameters, Through this we can inject the malicious code and get access to the web application.

echo "http://www.xss-game.appspot.com/level1/frame?query=hello" | kxss

As we have got the unfiltered parameters list, we have created a script and pasted it in the URL. When we hit the website, the script got executed and the XSS payload got triggered.

Cross-site scripting is a common vulnerability and bug, which is the trending vulnerability identified in most web-based applications. The attacker injects some malicious popup javascript code in input parameters or sometimes through file uploads. So periodically, website designers or developers validate the input fields by encoding and validating the provided input by the user. So Kxss tool comes into focus for this identification. Kxss tool is a Golang language-based tool that finds the vulnerable parameters and patterns in the target domain URL. So if you get a positive result, you can make your XSS payload or use a strong XSS payload wordlist to hit and try XSS vulnerability on the target domain.