Ecco alcuni scanner per vulnerabilità delle applicazioni Web Open Source che supportano la scansione XSS:
x5s is a Fiddler addon which aims to assist penetration testers in
finding cross-site scripting vulnerabilities. This is not a point and
shoot tool, it requires some understanding of how encoding issues lead
to XSS, and it requires manual driving.
Documentazione: link
Scarica X5S: link
Grabber is a web application scanner. Basically it detects some kind
of vulnerabilities in your website. Grabber is simple, not fast but
portable and really adaptable. This software is designed to scan small
websites such as personals, forums etc. absolutely not big
application: it would take too long time and flood your network.
Scaricalo qui: link
Codice sorgente su Github: link
Vega is a free and open source web security scanner and web security
testing platform to test the security of web applications. Vega can
help you find and validate SQL Injection, Cross-Site Scripting (XSS),
inadvertently disclosed sensitive information, and other
vulnerabilities. It is written in Java, GUI based, and runs on Linux,
OS X, and Windows.
Documentazione: link
Scarica Vega: link
Zed Attack Proxy (ZAP) is one of the world’s most popular free
security tools and is actively maintained by hundreds of international
volunteers*. It can help you automatically find security
vulnerabilities in your web applications while you are developing and
testing your applications. Its also a great tool for experienced
pentesters to use for manual security testing.
Documentazione: link
Scarica ZAP: link
Wapiti allows you to audit the security of your web applications.
It performs "black-box" scans, i.e. it does not study the source code
of the application but will scans the webpages of the deployed webapp,
looking for scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads
to see if a script is vulnerable.
Documentazione: link
Scarica Wapiti: link
- W3af:
w3af is a Web Application Attack and Audit Framework. The project’s
goal is to create a framework to help you secure your web applications
by finding and exploiting all web application vulnerabilities.
Documentazione: link
Scarica W3af: link
- WebScarab:
WebScarab is a framework for analysing applications that communicate
using the HTTP and HTTPS protocols. It is written in Java, and is thus
portable to many platforms. WebScarab has several modes of operation,
implemented by a number of plugins. In its most common usage,
WebScarab operates as an intercepting proxy, allowing the operator to
review and modify requests created by the browser before they are sent
to the server, and to review and modify responses returned from the
server before they are received by the browser. WebScarab is able to
intercept both HTTP and HTTPS communication. The operator can also
review the conversations (requests and responses) that have passed
through WebScarab.
Documentazione: link
Scarica WebScarab: link
Plugin XSS: link
Buona fortuna!