\\ (*) // _____ ___ ____ _____ ____ _____ ::, `:: / \ | | |\ | / \ / \ | | / \ | \\ // \_____ | | | \ | | _, \_____ |____| | | | ||| \ | | | \ | | | \ | | | | | ||| \_____/ L____ _|_ | \| \____/ \_____/ | | \____/ | |||
Slingshot.XSS is a script that allows users to enter a URL, select a payload, and launch it at a website! This tool allows people to test websites for XSS vulnerabilities in GET requests.
An XSS (Cross-Site Scripting) vulnerability is a vulnerability in a webpage that allows an attacker to type code into an input
box and then the site will become confused and actually run the script. There are two types of XSS vulnerabilities: stored and refletive XSS. Stored XSS saves the code into the server so anyone who visits a page will have code ran on them. This can sometimes be found in social media platforms. Reflective XSS reflects code back at the target and often uses GET requests. This can attack someone by sending a link to a victim, who will have code executed on their device upon clicking on it.
Firstly, on any OS, you would navigate to https://github.com/keeganjk/slingshot.xss. Once on this page, click the button that says "Clone or Download" and then "Download as ZIP".
![]()
If you are on Unix (Linux, macOS, or BSD), you can typegit clone https://github.com/keeganjk/slingshot.xss
into the terminal to clone this repository and thenmv
into the directory.Nextly, extract the ZIP file and then move into the
slingshot.xss
folder.
Open
index.htm
with any web modern browser.
After opening
index.htm
, you have to enable JavaScript (forindex.htm
). This will be different in every browser, but it is usually in Settings. JavaScript will most likely be enabled, but make sure that it is.To test for an XSS vulnerability, you need to enter a URL with
in the place of query. If you don't know how to get the query, go to your site and search something. You should see what you searched at the end of the URL. Replace it with
and then copy the URL. (If you see a bunch of other characters after your query, they can usually be removed.)
To test for an XSS vulnerability, you need a payload. Default payloads are located in the
payloads/
directory included inslingshot.xss
. To select a payload, click on theChoose File
button and select a payload. To submit your payload, clickSubmit
. It should then sayPayload submitted!
. Payload HelpAfter submitting your payload, a link that says
Launch Payload!
should appear.
If you found an XSS vulnerability and you're like me, you probably want to run some code on your friends (or enemies). Here's how:
Copy the link from
Launch Payload!
if the XSS attack wa successful. HINT: If your target is not using the same browser that the payload worked with, the attack may not work. Shorten your link in a URL shortener like Bitly or my personal favorite, Grabify, which will also get IPs and other target info. Why would I want to shorten the URL? Shortening the URL both disguises it (goo.gl/12345
is a lot less suspiscous thanhttps://vulnerable.site/<script>document.cookie(); alert("j0uV3 /bin pwned!");</script>
!!) and some services, such as Gmail, will automatically turn scripts from links into normal text.Next, share your XSS link through social media, email, chat, etc.!
XSS script launcher to test for vulnerabilities
OWASP XSS Filter Evasion Cheatsheet: Most XSS payloads came from here.
mattulm/offense: Provides alert text for some payloads
Redox01 Theme, Hendrik Lammers.
Muli Font, Vernon Adams.