xnl-h4ck3r / knoxnl Goto Github PK

This is a python wrapper around the amazing KNOXSS API by Brute Logic. To use this tool (and the underlying API), you must have a valid KNOXSS API key. Don't have one? Go visit https://knoxss.me and subscribe! This was inspired by the "knoxssme" tool by @edoardottt2, but developed to allow for greater options.

DISCLAIMER: We are not responsible for any use, and especially misuse, of this tool or the KNOXSS API

NOTE: If you already have a config.yml file, it will not be overwritten. The file config.yml.NEW will be created in the same directory. If you need the new config, remove config.yml and rename config.yml.NEW back to config.yml.

knoxnl supports Python 3.

Install knoxnl in default (global) python environment.

pip install knoxnl

OR

pip install git+https://github.com/xnl-h4ck3r/knoxnl.git -v

You can upgrade with

knoxnl -up

OR

pip install --upgrade knoxnl

Quick setup in isolated python environment using pipx

pipx install git+https://github.com/xnl-h4ck3r/knoxnl.git

The config.yml file (in the global location based on the OS, e.g. ~/.config/knoxnl/config.yml) has the keys which can be updated to suit your needs:

• API_URL - This can be set to the KNOXSS API endpoint, if and when it is changed
• API_KEY - Your KNOXSS API key that you will have generated on https://knoxss.me/
• DISCORD_WEBHOOK - Your discord webhook URL if you want to be notified of successful XSS

• Unlike other APIs that just retrieve data from a database, KNOXSS API returns the results like the web interface, actually performing a comprehensive vulnerability scan for XSS. Since scan results are not stored by our system, they need to be generated on the fly taking several JavaScript-evaluated live tests to return them. So it's natural the data returned takes much more time to get delivered since there's a long process involved at server side.
• The API standard rate limit is 5000 requests over a 24 hours period. That means an average of 2.3 requests per minute so please try to keep this pace to not overload the system. Due to this rate limit, if the input is a file or URLs, then only a batch (determined by argument -p/--processes) will be run per minute.
• Generating or Regenerating your API Key - The API key is in your profile. If you have never generated it you need to hit the button at least once to generate it and save. Any time you need a new API key for security reasons, you can simply hit the button and regenerate it.
• Flash Mode Mark - [XSS] - Provide the [XSS] mark in any place of the target's data values to enable Flash Mode which enables KNOXSS to perform a single quick XSS Polyglot based test.

• At the time of writing this, the daily limit of KNOXSS API calls is 5000. If you are testing a large file of URLs, it is advisable that you use the -o / --output option to specify a file where output will be written. If you do reach the API limit, it resets 24 hours after the first API call was made. If you are processing a file of URLs, you can use the -pur/--pause-until-reset to wait until the reset happens and then continue (this is only possible if the first request was run by knoxnl so it could save the response timestamp).
• If you pass an input file and the API limit is reached, or the Service is Unavailable, part way through the input, all unchecked URLs will be output to an file in the same location, and with the same name as the input file, but with a .YYYYMMDD_HHMMSS.todo suffix. You can then rename this file and use this as input at another time. The .todo file will be created in the current directory unless a path is specified in the -o/--output directory, and then the .todo file will be created in the same directory.
• By default, only successful results are written to the output file.
• Passing argument -oa / --output-all will write ALL results to the output file, not just successful one's.
• The KNOXSS API has a rate limit of no more than 5 URLs processed per minute. If the rate limit is exceeded then you might end up getting blocked by their WAF, and you will not get the results you want. This rate limit is taken into account when passing a file of URLs as input. However, if you keep running for a single URL more than this per minute you wil run into problems. Please respect the rules of their API.
• The KNOXSS only deals with POST requests with basic post data in the format 'param1=value&param2=value&param3=value'.
• If the -pd/--post-data argument is not passed and a POST request is made, it will use the query string from the URL as post data if it has one.
• If a file is passed as input and POST method is required, then the post data parameters need to be provided as a query string for the URL in the file, e.g. https://example.com?postParam1=value&postParam2-value. If you use the -pd/--post-data with an input file then ALL URLs will use that post data.
• These are required based on the way the KNOXSS API works.

Pass a single URL:

NOTE: If you pass a URL, put it in quotes otherwise the shell can interpret & characters as instruction to run a background task.

knoxnl -i "https://brutelogic.com.br/xss.php"

Or a file of URLs:

knoxnl -i ~/urls.txt

Test a single URL for both GET and POST. if it is successful, the payload will be output to output.txt. In this case, an API key is provided, overriding any in config.yml if it exists. Also, the parameter value has been passed as [XSS] which will request the KNOXSS API to enable Flash Mode which performs a single quick XSS Polyglot based test:

knoxnl -i "https://brutelogic.com.br/xss.php?b3=[XSS]" -X BOTH -o output.txt -A 93c864f5-af3a-4f6a-8b25-8662bc8b5ab6

Test a single URL for POST and pass post body data:

knoxnl -i "https://brutelogic.com.br/xss.php" -X POST -pd user=xnl -o output.txt

Pass cookies and an auth header for a single URL, and use the Advanced Filter Bypass option:

knoxnl -i "https://bugbountytarget.com?a=one&b=2" -afb -H "Cookie: sessionId=9d7127ca-8966-4ae9-b20a-c2892a2f1167; lang=en;|Authorization: Basic eyJZb3UgZGlkbid0IHRoaW5rIHRoaXMgYSBnZW51aW5lIHRva2VuIGRpZCB5b3U/ISA7KSJ9"

To be able to use knoxnl to test a request in Burp Suite Proxy, we can use it in conjunction with the amazing Piper extension by András Veres-Szentkirályi. Follow the steps below to set it up:

1. Go to the BApp Store in Burp and install the Piper extension.
2. Go to the Piper tab and click the Context menu items sub tab, then click the Add button.
3. In the Add menu item dialog box, enter the Name as knoxnl and change the Can handle... drop down to HTTP requests only.
4. Change both the Minimum required number of selected items and Maximum allowed number of selected items values to 1.
5. Click the Edit... button for Command and the Command invocation editor dialog box should be displayed.
6. Check the Pass HTTP headers to command check-box.
7. If you are on a Linux machine, or Windows without WSL, do the following:
   • In the Command line parameters box you enter the command and arguments one line at a time.
   • You want to enter a command of /my/path/to/python3 /my/path/to/knoxnl.py --burp-piper -X BOTH for example, providing the full path of the knoxnl binary file.
   • So in the Command line parameters input field it would look like this:

     /my/path/to/knoxnl
     --burp-piper
     -X
     BOTH
     

   • You may want to add other knoxnl arguments too, such as -A your_knoxss_api_key, -t 60, etc. Remember to put the argument and the value on separate lines.
8. If you are on a Windows machine using WSL, do the following:
   • In the Command line parameters box you enter the command and arguments one line at a time.
   • You want to enter a command of wsl -e /my/path/to/knoxnl --burp-piper -X BOTH for example, providing the full path of the knoxnl.py binary file.
   • So in the Command line parameters input field it would look like this:

     wsl
     -e
     /my/path/to/knoxnl
     --burp-piper
     -X
     BOTH
     

   • You may want to add other knoxnl arguments too, such as -A your_knoxss_api_key, -t 60, etc. Remember to put the argument and the value on separate lines.
9. Click the OK button on the Command invocation editor dialog box.
10. Click the OK button on the Edit menu item dialog box.

Piper is now set up to be able to call knoxnl.

To call knoxnl for a particular request, follow these steps:

1. Right click on a Request and select Extensions -> Piper -> Process 1 request -> knoxnl.
2. A window should open with the title Piper - knoxnl.
3. IMPORTANT NOTE: This Piper window stays blank until the command is complete (which could be up to 180 seconds - the default value of -t/--timeout).
4. When complete, it should show the knoxnl output in the same way as on the command line version. Just close the window when you have finished.

With Piper you can also send the knoxnl request to a queue by selecting Extensions -> Piper -> Add to queue. You can then go to the Queue sub tab under Piper and see the request. Right click the request to send to knoxnl.

If you come across any problems at all, or have ideas for improvements, please feel free to raise an issue on Github. If there is a problem, it will be useful if you can provide the exact command you ran and a detailed description of the problem. If possible, run with -v to reproduce the problem and let me know about any error messages that are given, and the KNOXSS API request/response.

• Allow input to be piped into knoxnl.
• Allow a large file to be passed, and if the API limit is reached, wait until the API limit is refreshed and continue.
• Deal with downgrading HTTPS to HTTP if required.
• If a target is blocking KNOXSS, then try a few times, and if no success then skip all links for that domain, and write to a .blocked file.

Single URL:

File of URLs checked with GET and POST:

Example Discord notification:

Good luck and good hunting! If you really love the tool (or any others), or they helped you find an awesome bounty, consider BUYING ME A COFFEE! ☕ (I could use the caffeine!)

🤘 /XNL-h4ck3r