Working with XSpear Tool on Kali Linux

Example 1: Verbose Mode

 XSpear -u “http://testphp.vulnweb.com/listproducts.php?cat=123” -v 2

In this example, we will be performing a scan on our target domain in verbose mode. -v tag is used for verbose mode.

Example 2: Scanning XSS

XSpear -u “http://testphp.vulnweb.com/search.php?test=query” -d “searchFor=yy”

In this example, We will be scanning the target domain from XSS Vulnerability.

Example 3: Only JSON output

XSpear -u “http://testphp.vulnweb.com/search.php?test=query” -d “searchFor=yy” -o json

1. In this example, we will be saving the results of the scan in JSON format. -o tag is used to save the output.

2. In the below Screenshot, We have got the results of our scan in JSON format.

3. In the below Screenshot, We have displayed the JSON format results from the output file.

Example 4: Set scanning thread

XSpear -u “http://testphp.vulnweb.com/search.php?test=query” -t 30

In this example, we are changing the default thread value. -t tag is used to change the default value.

Example 5: Testing at selected parameters

XSpear -u “http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=demo” -p cat,test

1. In this example, we will be testing only the selected parameters. -p tag is used to select the parameters for the scan.

2. In the below Screenshot, We have got the results of our above scan.

Example 6: Testing Only parameter analysis (aka no-xss mode)

XSpear -u “http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=demo” –no-xss

1. In this example, we are only testing the parameters without XSS testing. –no-xss tag is used.

2. In the below Screenshot, We have got the results of our scan.

Example 7: Testing blind XSS(all params)

XSpear -u “http://testphp.vulnweb.com/search.php?test=query” -b “https://hahwul.xss.ht” -a

1. In this example, we are testing the target domain for Blind XSS Vulnerability. We have passed the payload collection link.

2. In the below Screenshot, We have got the results of our scan.

Example 8: Quite mode

XSpear -u http://testphp.vulnweb.com/listproducts.php?cat=123 -a -v2

In this example, we are implementing Quite Mode. We have used -v2 tag for Quite Mode

Example 9: Scanning log

XSpear -u http://testphp.vulnweb.com/listproducts.php?cat=123 -a -v3

1. In this example, we are displaying the live logs of the scan. We have used -v3 tag for live logs.

2. In the below Screenshot, We are getting the live log details of the scan.

Cross-Site Scripting or XSS is the Vulnerability or Security Flaw which is listed in the OWASP Top 10 Vulnerability list. XSS flaw mainly deals with the arbitrary JavaScript code which can compromise the internal architecture of the application. Attacker or Hacker passes the malicious code snippet which consists of intention to stole or destroy the system architecture. This malicious string or code is passed to the server through various means like input fields, parameters, or even passed as a file. In this flaw, the web application generates the output based on the user input, which can be risky if user input is something dangerous.