This is a vulnerability scanner which scans for reflected XSS and SSTI.
- Enumerate subdomains using Sublist3r.
- Crawl each subdomain using ZAP.
- Replace parameter value to HTML tags i:e.,
>
,<
and check for reflection. - If found any then it will notify you on discord.
- ZAP Python API
pip install python-owasp-zap-v2.4
- Install the ZAP and get the API Key.
- Save the API key in
/config/config.json
{
"Version":"0.1",
"ZapApiKey":"API-KEY-HERE"
}
- Create a discord server and get the webhook URL. Save the webhook URL in
core/utils.py
def notifyIfFileMofidy():
web_hook = "WEB-HOOK_URL-HERE"
webhook = DiscordWebhook(url=web_hook, content=f'[+] Possible XSS reported please check found.txt')
- Enter target to targets.txt
http://testphp.vulnweb.com
*.evil.com
Add http://
or https://
for testing single website and *.
for testing subdomains.
- Run zerro.py
python3 zerro.py