35 comments

[ 3.1 ms ] story [ 86.2 ms ] thread
Spelling error on the very first image example: "Cofidence"
I submitted a PR to fix the mistake before I read the comment here.
This is so typically HN. What about the main aspects of this submission? Is it really the most advanced? Is it useful? What are your thoughts on its approach, coding style, effectiveness in certain situations etc.

“Found a spelling mistake, stopped looking at it, came here to report spelling mistake.”

But can you really trust someone who misspels?
In this case the tool uses Levenshtein distances so should be fine.
Since this is such a contentious topic let’s explicitly tag it as /s ;) Ps: Thanks for your contributions to Raku!
What makes you think the parent stopped looking at the submission at that point? They're simply reporting a spelling mistake. There's no reason to attack them for that.
Having used XSSStrike, I must say it probably is the best public tool for hunting XSS.
Is there a private tool that only those in the know can use?
There are commerical/non-free tools.
Just a word of caution: Running tools like this from your home IP address is a good way of getting banned from the Internet* by Akamai.

* (yes, yes, you're not banned from the Internet, but you'll be surprised by all the sites you visit that sit behind Akamai)

Some ISPs are relatively easy to get a new IP address on, others are rather difficult, so don't be dumb, use protection: a VPN.

Don't run this kind of stuff on somebody's website without prior consent.
Never said to do so. Even with prior consent you'll still get Akamai mad at you.

My point here is was just that this is a somewhat dangerous tool to start just aiming at random websites. Probably a fair amount of people here that don't understand the full ramifications of their actions.

Just don't run it against anything for which you do not have permission to run such tools.

Running a tool like this against your favorite websites, is a simple way of getting banned from your favorite websites.

Even sites that have bug bounties don't turn off their WAF for you. So you can have permission to run some tools against them, but still anger Akamai.
Couple of years back the amount of captcha I have to solve to visit a site was amazing while using the workplace network. Although the CDN I faced most problems with was CloudFlare.
Blocking VPN ip isn't a great contribution to community. Others including you will get that ip later.

Ruin your internet for yourself, if you have to run such tools on public websites. You shouldn't anyway.

Do I risk getting banned if I only use this against my own websites?
By who?

If you're running out against an Akamai or Cloudfoare reverse proxy in front of your website, then sure. If not, no; they don't have wiretaps.

No support for base64 encoded parameters?
(Hoping that the author(s) is (are) here) Thank you for working on and sharing a great tool. I spotted two typos on the main site:

“...payload generator generates patloads which are...” patloads -> payloads.

“...flaunting it's genius backend.” it’s -> its.

Submit a PR, the author will definately see it.
Must be advanced because:

> Throw away your paid tools because this is some God level shit. Now with 4 hand written parsers, an intelligent payload generator, powerful fuzzing engine, DOM scanner, hidden parameter discovery and an incredibly fast crawler. F*cking retweet it!

- https://twitter.com/s0md3v/status/1061255510677057537

> Exactly, that's why you have no idea how it works and all. Well, it took me a month and being a developer of 30+ open source software, this is the first time I am saying this is some God level shit and I mean it.

- https://twitter.com/s0md3v/status/1061662698335723520

Sarcastic?

Not sure testimonials from the dev themselves mean anything.

Does this work on web-pages behind a login?
You can supply your own http headers. So i guess you can send cookies and that things with it.