🚀 xss0rRecon: The Best Recon Tool for Bug Bounty Hunters 🕵️‍♂️💻

xss0rRecon is a versatile bash script designed to facilitate domain enumeration, URL filtering, parameter discovery, and XSS detection. It is not mandatory to use xss0rRecon alongside xss0r, but doing so provides a significant boost to your scanning efficiency and accuracy. The tool is highly customizable and can be tailored to meet individual user requirements.

Join our Discord Channel for bug bounty hits and XSS tehniques with xss0r and xss0rRecon here: https://discord.com/invite/Uy2TzhtyQQ

Key Features of xss0rRecon:

1. Install all tools
2. Enter a domain name of the target
3. Domain Enumeration and Filtering
4. URL Crawling and Filtering
5. In-depth URL Filtering
6. HiddenParamFinders
7. Preparing for XSS Detection and Query String URL Analysis
8. Launching xss0r Tool
9. Guide to Deploying xss0r on VPS Servers
10. Path-based XSS
11. Domains Search Inputs

Getting Started

To begin using xss0rRecon, follow these steps:

1. Download the Latest Version
   Access the always-updated version of xss0rRecon from its official GitHub repository. 📥 When you download xss0rRecon.zip from store.xss0r.com, please make sure to replace the xss0rRecon.sh script with the latest version from our GitHub repository. 🔄Alongside the script, ensure you to ha the necessary supporting files:

• parametri.txt: For Arjun’s brute-forcing of hidden parameters
• path-reflection.py: For checking path-based reflections
• reflection.py: For checking query parameters
• subs-dnsbruter-small.txt: A wordlist for the dnsbruter tool (available on store.xss0r.com) Here you need to purchase any xss0r plan.
• xss0rRecon.sh:

Extract and Replace Files
Extract the downloaded files into the same directory containing your xss0r tool. Always replace your existing xss0rRecon.sh script with the latest version from GitHub.

Grant Execute Permissions

chmod +x xss0rRecon.sh

Run the Tool

sudo bash xss0rRecon.sh

Using xss0rRecon

Once the tool is launched, you will be presented with the following menu:

Please select an option:
1: Install all tools
2: Enter a domain name of the target
3: Domain Enumeration and Filtering
4: URL Crawling and Filtering
5: In-depth URL Filtering
6: HiddenParamFinder
7: Preparing for XSS Detection and Query String URL Analysis
8: Launching xss0r Tool
9: Exit
10: Guide to Deploying xss0r on VPS Servers
11: Path-based XSS
12: Domains Search Inputs
Enter your choice [1-12]:

xss0rRecon banner

Step 1: Install All Tools

Select option 1 to install all required tools and dependencies. The script installs:

• Go
• Waybackurls
• Gau
• Uro
• Katana
• Hakrawler
• GoSpider
• Arjun
• dnsbruter
• SubProber
• Subdominator
• UrlFinder

Confirmation

Ensure your Python version is 3.12.8 or later. Verify tool installations by running their respective help commands, e.g., subprober -h, subdominator -h. If any tools fail to install, manually install them from their GitHub repositories.

sudo apt update && sudo apt upgrade -y && sudo apt update — fix-missing && sudo apt install -y python3.12-venv python3-pip && python3 -m venv .venv && source .venv/bin/activate && python3 -m venv .venv && sudo apt upgrade python3 -y && sudo apt install -y pip pip3

If any tools fail to install, you might encounter an error indicating missing packages like colorama, aiodns, or others required by these tools and it will throw message not installed correctly or have outdated version. In such cases:

Explanation for Fixing Errors by Activating .venv

Many errors, such as ModuleNotFoundError (e.g., missing colorama or other dependencies), occur because the required Python packages are not installed in the current Python environment. These errors can be resolved by ensuring that your Python environment is correctly set up.

Steps to Fix Errors:

1. Activate the .venv Virtual Environment: The .venv is a virtual environment that isolates the dependencies required for your project. Activate it using the following command:
2. source "$(pwd)/.venv/bin/activate"

• This ensures that all Python commands, such as pip and python, operate within the context of the virtual environment.
• Install Missing Packages: If you encounter errors related to missing packages (e.g., ModuleNotFoundError: No module named 'colorama'), you can manually install the missing package using pip:

3. pip install [package_name]

Replace [package_name] with the name of the missing package. For example:

pip install colorama

Verify Installation: After installing the package, verify that it is correctly installed by running:

pip show [package_name]

This will display information about the package, such as its version and location.

Why Activation Fixes Errors:

• The virtual environment (.venv) contains all the dependencies specific to your project.
• Without activating the virtual environment, Python and pip might refer to the global environment, which may lack the necessary packages.

By following these steps, you can resolve any errors related to missing dependencies and ensure that your project runs smoothly.

Manually install the missing package using the following command:

sudo pip3 install [package name] --break-system-packages

Inject the missing package into the respective tool. For example, if subdominator is missing the colorama package, use:

sudo pipx inject subdominator "colorama"

Alternatively, manually install all dependencies for each tool using the commands below:

sudo pip3 install dnsbruter "aiodns>=3.2.0" "aiofiles>=24.1.0" "alive_progress>=3.2.0" "art>=6.1" "asynciolimiter>=1.1.0.post3" "colorama>=0.4.4" "requests>=2.32.3" "setuptools>=75.2.0" "uvloop>=0.21.0"

For Subdominator:

sudo pipx inject subdominator "aiofiles>=23.2.1" "aiohttp>=3.9.4" "appdirs>=1.4.4" "httpx>=0.27.2" "art>=6.1" "beautifulsoup4>=4.11.1" "colorama>=0.4.6" "fake_useragent>=1.5.0" "PyYAML>=6.0.1" "requests>=2.31.0" "rich>=13.7.1" "urllib3>=1.26.18" "tldextract>=5.1.2"

For Subprober:

sudo pip3 install --break-system-packages "subprober" "aiodns>=3.2.0" "aiofiles>=24.1.0" "aiojarm>=0.2.2" "alive_progress>=3.2.0" "appdirs>=1.4.4" "art>=6.4" "asynciolimiter>=1.1.1" "beautifulsoup4>=4.12.3" "colorama>=0.4.6" "cryptography>=44.0.0" "fake_useragent>=1.5.1" "httpx>=0.28.1" "mmh3>=5.0.1" "playwright>=1.49.1" "requests>=2.32.3" "rich>=13.9.4" "setuptools>=75.2.0" "simhash>=2.1.2" "urllib3>=1.26.18" "uvloop>=0.21.0" "websockets>=14.1" "bs4>=0.0.2" "lxml>=5.3.0"

Then update the tools to their latest version using the following commands:

subprober -up
subdominator -up
dnsbruter -up

Step 2: Enter a Target Domain

Choose option 2 and input your target domain in the format example.com. The tool will prompt:

Do you want to proceed with domain enumeration and filtering for testphp.vulnweb.com (Y/N)?

• If you select N, the tool will stop.
• Selecting Y presents the next prompt:

Do you want to use your own list of domains or let xss0rRecon find them for you? Enter Y for your list or N for xss0rRecon’s list — domain list must be in format $domainname.com-domains.txt:

• Press N to use xss0rRecon’s domain discovery methodology, which involves two tools: subdominator and dnsbruter.

Subdominator performs passive subdomain enumeration. Once complete, dnsbruter uses the subs-dnsbruter-small.txt wordlist for brute-forcing subdomains. This process is repeated twice to ensure comprehensive coverage, discovering even subdomains of subdomains (e.g., BRUTE.login.example.com).

Tip: If scanning a large list of domains, the process may take time. You can skip subdomain enumeration by pressing CTRL + C once per domain. Avoid pressing it multiple times in quick succession to prevent breaking the scan.

For those preferring to use their own domain list, select Y and ensure your list follows the format example.com-domains.txt. This skips domain enumeration and proceeds with your provided list.

Explanation for Using Your Own Domain List Instead of xss0rRecon

When working with tools like xss0rRecon, you may want to use your own predefined domain list instead of relying on the tool to generate one for you. Here’s how you can integrate your own list and proceed with the domain scanning and filtering process:

The tool provides two options:

1. Use your own custom domain list.
2. Let xss0rRecon generate the domain list for you.

If you choose to use your list, the tool will expect the file to follow a specific naming convention, such as testphp.vulnweb.com-domains.txt. This ensures the tool knows where to find your custom data:

When you enter your domain list, the tool will display the following message:

Using your provided list of domains from testphp.vulnweb.com-domains.txt
Your domain file has been created. Would you like to continue scanning your target domain, including all its subdomains? If so, please enter ‘Y’. If you prefer to modify the domain file first, so you can delete these and add your domains, enter ’N’, and you can manually proceed with step 4 afterwards. Do you want to continue scanning with all subdomains (Y/N)?:

• If you press Y, the tool will proceed to the next steps.
• If you press N, you can open your file and delete or add any new domains as needed before manually continuing with step 4.

Once you confirm, the tool will start processing the domains in your list. This includes:

• Filtering alive domains.
• Removing duplicates.
• Validating the domain entries.

Filtering Alive Domains

After selecting Y to proceed, the tool will use the SubProber tool to filter and identify alive domains. Once this process is complete, it will prompt:

Do you want to do crawling by xss0rRecon or add your own crawled links?

• Enter N to let xss0rRecon handle the crawling. The tool will utilize six different tools for this process: Gau, Waybackurls, Hakrawler, Katana, GoSpider, and UrlFinder. Crawling is thorough but time-consuming, as each of the six tools processes all your subdomains.
• If you choose Y to use your own list, ensure it is in the format testphp.vulnweb.com-links-final.txt. If the format does not match (i.e., the domain name followed by -links-final.txt), the tool will not accept the list. Rename your list accordingly to proceed.

Crawling Links

If you opt for the default crawling process [ press N ], the tool will start with the following message:

Current process: Crawling links with GoSpider…⌛

It will then proceed to run all six tools in sequence, ensuring comprehensive crawling for potential vulnerabilities. Each tool’s progress will be displayed, keeping you informed throughout the process.

In-depth URL Filtering

After completing crawling, the tool performs an in-depth filtering process:

Crawling and filtering URLs completed successfully. Output files created for each tool.
Current process: Filtering invalid links on Gospider & Hakrawler & UrlFinder...⌛
Current process: Removing old Gospider & Hakrawler & UrlFinder files...⌛
Current process: Filtering similar URLs with URO tool...⌛
URO tool is still running...⌛
URO processing completed. Files created successfully.
Current process: Removing all previous files...⌛
Current process: Merging all URO files into one final file...⌛
Current process: Creating 'urls' directory and setting permissions...⌛
Current process: Copying testphp.vulnweb.com-links-final.txt to 'urls' directory...⌛
All identified URLs have been successfully saved in the newly created 'urls' directory.

The final output includes a merged list of 2,120 URLs for further testing. After filtering:

• Total filtered URLs: 784

Hidden Parameter Discovery

Next, the tool uses Arjun to discover hidden parameters on URLs with extensions like .php, .asp, .aspx, .jsp, and .cfm:

[*] Scanning 18/71: http://testphp.vulnweb.com/listproducts.php
[*] Probing the target for stability
[+] Heuristic scanner found 2 parameters: goButton, searchFor
[+] Parameters found: artist, cat

Arjun systematically tests each URL for hidden parameters, providing additional vectors for XSS testing. While results vary, the process ensures comprehensive coverage of potential vulnerabilities.

Arjun finalizes the clean list and successfully merges and deduplicates links into arjun-final.txt. After running on these clean URLs, four new links are discovered:

• http://testphp.vulnweb.com/showimage.php?file=3384
• http://testphp.vulnweb.com/AJAX/infoartist.php?id=4048
• http://testphp.vulnweb.com/listproducts.php?artist=6984&cat=1493
• http://testphp.vulnweb.com/artists.php?artist=3639

The process includes cleaning up temporary files and setting up final outputs.

The final step is Preparing for XSS Detection and Query String URL Analysis. This involves saving query-based URLs in testphp.vulnweb.com-query.txt and unique links in testphp.vulnweb.com-ALL-links.txt. Once filtering and deduplication are complete, 58 URLs remain ready for page reflection testing.

Step 4: Preparing for XSS Detection
With a clean set of URLs, the next focus is on reflection testing. The tool analyzes query strings, identifies repeated parameters, and ensures each URL is normalized and ready. It then combines these filtered lists for comprehensive page reflection tests.
Finally, the process is initiated with the command:
python3 reflection.py testphp.vulnweb.com-query.txt --threads 2

Final Steps in Processing

Once reflection checking is complete, we’ll have the following progress updates:

• Reflection Analysis:
  [INFO] Progress: 138/138 URLs processed.
  Reflection analysis will produce a new file, xss.txt, containing URLs that reflect input. The tool then filters duplicate entries and removes highly similar parameters, ultimately reducing noise in the results. By the end of this process, a streamlined file named xss-urls.txt is created, ready for targeted XSS testing.
• Significant Reduction in URLs:
  Initially, the workflow starts with a substantial 2,120 merged URLs. After filtering, processing, and reflection analysis, only 10 URLs remain — each a strong candidate for potential XSS vulnerabilities. This significant reduction highlights the importance of thorough filtering and careful reflection analysis, ensuring that only the most promising URLs are carried forward to the final testing stage.

Launching the xss0r Tool

After filtering down to 10 URLs from the original 2,120, we proceed to the crucial final step: testing these URLs using the powerful xss0r tool. xss0r, known for its precision and zero false positives, is tasked with confirming potential XSS vulnerabilities. Here’s how the process unfolds:

• xss0rRecon Automates Testing:
  xss0rRecon automatically feeds the 10 filtered URLs from xss-urls.txt into the xss0r tool, along with chosen payloads from payloads.txt.
• Threaded Execution:
  The tool fires up 10 threads to ensure efficient processing. Each thread systematically injects payloads into the URLs, meticulously monitoring for any reflected input.
• Clear Results:
  During this process, xss0r detects an alert on the URL:
  http://testphp.vulnweb.com/listproducts.php?artist=/<script>alert(1234)</script>
  The tool confirms the XSS by showing the text 1234 in the response. Additional details, such as the page title, status code, and WAF protection status, provide valuable context for verifying the vulnerability.

• Conclusion:
  xss0r successfully demonstrates its zero false positive rate by pinpointing a genuine XSS vulnerability. This final step validates the earlier filtering and confirms the effectiveness of our approach, reinforcing xss0r’s reputation as a reliable tool for accurate XSS detection.

Continuing Explanation: Path-Based XSS Testing with xss0r

After successfully verifying query-based XSS vulnerabilities with xss0r, the next step is to test for path-based XSS vulnerabilities. This process is carried out using Option 11: Path-Based XSS in the tool. Before proceeding with this step, ensure that all previous processes (from Step 2 to Step 8) have been completed. The output of these steps will result in a file named:

testphp.vulnweb.com-ALL-links.txt

This file contains all the enumerated URLs and is crucial for the path-based XSS testing process.

Steps for Path-Based XSS Testing:

1. Select Option 11: Path-Based XSS After completing the query-based XSS testing and generating the -ALL-links.txt file, select Option 11 in the xss0r menu. This option lists all available -ALL-links.txt files in the current directory.
2. Input Domain Name When prompted, enter the domain name without the -ALL-links.txt suffix. For example, if your file is testphp.vulnweb.com-ALL-links.txt, simply enter:

testphp.vulnweb.com

3. Filtering Process The tool begins filtering the paths for possible XSS vulnerabilities. Once this process is complete, the next step involves checking for reflections in the paths using the path-reflection.py script.

Reflection Testing with path-reflection.py:

1. Purpose of Reflection Testing:

• The path-reflection.py script identifies reflection points in the URL paths.
• It tests each path segment individually to detect vulnerabilities.

1. How the Reflection Testing Works: If the script detects a reflection in a URL, it modifies the URL to include a {payload} placeholder in the vulnerable path segments. For example:

• Input URL:

http://testphp.vulnweb.com/login/admin/testing

Detected Reflections:
If login and testing are vulnerable, the tool generates the following URLs:

http://testphp.vulnweb.com/{payload}/admin/testing
http://testphp.vulnweb.com/login/admin/{payload}

Output File: The script saves the results in a file named:

path-xss-urls.txt

Reflection Testing for Query Parameters with reflection.py:

Similarly, the reflection.py script is used for reflection testing in query parameters. Here's how it works:

1. Input URL:

#http://testphp.vulnweb.com/listproducts.php?artist=12&cat=12

Detected Reflections:
If artist and cat are reflected, the tool generates the following URLs:

http://testphp.vulnweb.com/listproducts.php?artist={payload}&cat=12
http://testphp.vulnweb.com/listproducts.php?artist=12&cat={payload}

Testing Methodology:
The tool tests each parameter individually to ensure accurate results and avoids spraying payloads across multiple parameters simultaneously.

Path-Based XSS Testing with xss0r:

After completing the reflection testing, the path-xss-urls.txt file is sent to xss0r for XSS testing. This process thoroughly evaluates each URL to identify potential path-based XSS vulnerabilities. The tool's precision ensures that only genuinely vulnerable URLs are flagged, maintaining its zero false positive rate.

Conclusion:

By following these steps, xss0r provides a comprehensive and methodical approach to detecting both query-based and path-based XSS vulnerabilities. The use of dedicated reflection testing tools (reflection.py for queries and path-reflection.py for paths) ensures accurate and reliable results, reinforcing xss0r's status as a cutting-edge tool for XSS vulnerability detection.

Step 12: Domains Search Inputs

The next advanced feature in xss0r is Option 12: Domains Search Inputs, which introduces a highly effective and innovative process designed specifically for bug bounty hunters. This feature allows you to test for reflections and potential XSS vulnerabilities on a predefined list of domains by appending various search queries to each domain.

What is Domains Search Inputs?

The Domains Search Inputs feature tests a list of domains in the format:

http://domainname.com
After all other processing tasks in xss0rRecon are completed (Steps 2–11), you will have a file generated with your domains in the following format:

testphp.vulnweb.com-domains.txt

This file is critical for Option 12, as it contains the cleaned and validated domain list. When you select Option 12, the tool performs the following tasks:

How It Works

1. Prompt for Domain List: After selecting Option 12, the tool will prompt you to provide your domain list. Enter the name of the file (e.g., testphp.vulnweb.com-domains.txt).
2. Appending Search Queries: The tool automatically appends various predefined search queries to each domain in your list, testing each query one by one. Here are examples of the search queries:

search?q=aaa
?query=aaa
en-us/Search#/?search=aaa
Search/Results?q=aaa
q=aaa
search.php?query=aaa
en-us/search?q=aaa
…

• These queries cover a wide range of formats used in real-world applications, ensuring comprehensive coverage for potential vulnerabilities.
• Testing Reflection: Once the queries are appended, the reflection.py tool starts testing for reflections in the appended URLs. This process identifies whether the queries are reflected in the responses.
• Sending to xss0r for Confirmation: If reflections are detected, the tool automatically sends the URLs to xss0r for further testing and confirmation of potential XSS vulnerabilities.

Example Workflow

• Input Domain:
  http://testphp.vulnweb.com
• Generated Queries:

http://testphp.vulnweb.com/search?q=aaa
http://testphp.vulnweb.com/?query=aaa
http://testphp.vulnweb.com/en-us/Search#/?search=aaa
…

Reflection Testing:
The reflection.py tool processes each generated query. If the reflection exists, it saves the URL in the following format:

http://testphp.vulnweb.com/search?q={payload}

Final Testing:
The tool sends the reflected URLs to xss0r for XSS payload injection and confirmation.

Benefits of Domains Search Inputs

• Comprehensive Testing:
  Tests domains against a large variety of potential search query formats, ensuring no potential vulnerability is missed.
• Automatic Workflow:
  Automates the process of appending queries, testing reflections, and confirming XSS vulnerabilities.
• High Accuracy:
  Leverages the reflection.py script for precise reflection testing, ensuring reliable results.
• Bug Hunter Focused:
  Tailored for bug bounty hunters, saving hours of manual work while maintaining high accuracy with xss0r tool.
• Saving Time:

You don’t need to open every single domain manually and look for search inputs!

Conclusion

The Domains Search Inputs feature in xss0r is a game-changing addition for detecting XSS vulnerabilities. By appending diverse search queries to domain lists and automating the reflection and confirmation process, this feature enables bug bounty hunters to efficiently and effectively identify vulnerabilities. This further cements xss0r as a leading tool for accurate XSS detection with a zero false positive rate.

Visit our Official page for xss0r Tool: store.xss0r.com
And our FREE Blind XSS Testing: xss0r.com