Shuriken was developed by Shogun Lab as an open source Cross-Site Scripting (XSS) command line utility to aid web security researchers who want to test a list of XSS payloads in a web application. It allows a tester to easily change payload lists, log results and take screenshots of successful payloads.

It should only be used on valid targets who have consented to pentesting, please ensure you have permission before using this tool against a web application.

Shuriken can be installed by downloading the zip file here or by cloning the Git repository:

git clone https://github.com/shogunlab/shuriken.git

Shuriken works with Python 2.7.x on any platform.

• Easily specify where in a URL the payload should be injected with the "{xss}" string.
• Quickly change payload lists.
• Take screenshots of successful XSS payloads.
• Save logs of reflected XSS payloads.
• Use fuzzy detection to log partial XSS reflections.

To get a list of options and switches, enter:

python shuriken_xss.py -h

To test a list of payloads against a target URL, specify where the payloads will go with "{xss}" and enter:

python shuriken_xss.py -u "http://example.com/target.php?name={xss}" -p "xss-payload-list.txt"

If you would like to screenshot and save all reflected XSS payloads, use the -s or --screen flag with a name for the screenshot images and enter:

python shuriken_xss.py -s ExampleTarget -u "http://example.com/target.php?name={xss}" -p "xss-payload-list.txt"

To wait a specific amount of time in between requests, use the -t flag with the amount of time to wait in seconds and enter:

python shuriken_xss.py -t 1.5 -u "http://example.com/target.php?name={xss}" -p "xss-payload-list.txt"

To enable partial or fuzzy detection of XSS payloads in HTML source code, use the -f or --fuzzy flag with the level of detection you want to log. For example, the following command will only log XSS payload reflections that have a 75% matching score or above in the HTML source code returned:

python shuriken_xss.py -f 75 -u "http://example.com/target.php?name={xss}" -p "xss-payload-list.txt"

The default matching score supplied is 50% and will be applied when a flag with no number is given (e.g. -f or --fuzzy):

python shuriken_xss.py -f -u "http://example.com/target.php?name={xss}" -p "xss-payload-list.txt"

Partial detection is applied through the use of SeatGeek's FuzzyWuzzy Python library token_set_ratio() method and additional information regarding this library can be found here.

Partial XSS reflections will be logged in a separate text file ending with "_partials.txt".

You must specify a payload and URL, if you don't then you'll get an error. For an example payload to test with, check out this list of common XSS payloads.

You also must have PhantomJS installed and configured in order for the tool to run in its default mode. See the next section for more details on this.

There may be a noticeable slowdown of the tool when it is being used in a virtual machine such as VirtualBox. For best performance, use Shuriken on a native machine. I am currently looking to address this virtual machine slowdown in a future update.

This tool depends on the proper configuration and installation of the following:

• Python 2.7.x - Python 2 is needed to run the tool.
• Splinter - Python library allowing use of a headless web browser for testing.
• PhantomJS - Headless WebKit browser used by Splinter for testing.
• Selenium 2.0 - WebDriver required by PhantomJS browser.
• FuzzyWuzzy - Partial XSS logging using fuzzy detection methods.
• python-Levenshtein - Python extension for computing string edit distances and similarities. Allows faster fuzzy detection from the FuzzyWuzzy library.

Python dependencies can be installed using pip: pip install -r requirements.txt. Use your platform-specific mechanism to install PhatomJS (e.g. brew on OSX, apt-get on Debian or Ubuntu, etc).

If you would prefer that this tool use a different browser for testing, you can read the Splinter docs and insert your preferred browser in the "inject_payload" method where it says browser = Browser("phantomjs"). Leaving it blank as browser = Browser() will default to Firefox.

Basic usage

With -s or --screen option to record screenshots and -t option to delay requests by specific amount

With -f or --fuzzy option to fuzzy detect and log partial XSS payload reflections

Shuriken was derived from the excellent XSS command line tool by Faizan Ahmad, called XssPy. The Shuriken XSS tool is under an MIT license, you can read it here.

The Shuriken logo is licensed under a Creative Commons Attribution 3.0 United States License. Authored by Monjin Friends.

Be responsible and use this tool at your own discretion, I cannot be held responsible for any damages caused.