Listen to this Post
xss0r is a powerful tool for crawling and scanning authenticated URLs in Gmail (or other web applications) for XSS vulnerabilities. Unlike public crawlers, xss0r leverages session cookies (--cookies) to access restricted, login-protected areas that most security tools miss.
You Should Know:
1. Setting Up xss0r
First, clone the repository:
git clone https://github.com/xss0r/xss0r.git cd xss0r pip install -r requirements.txt
2. Exporting Gmail Cookies
Use browser extensions like EditThisCookie (Chrome) or Cookie-Editor (Firefox) to export your Gmail session cookies in JSON format.
3. Running xss0r with Cookies
python3 xss0r.py --url https://mail.google.com --cookies gmail_cookies.json --deep-crawl
– --url: Target Gmail URL.
– --cookies: Path to your exported cookies.
– --deep-crawl: Enables recursive crawling.
4. Scanning for XSS
xss0r automatically checks for XSS, but you can enhance detection with:
python3 xss0r.py --url https://mail.google.com --cookies gmail_cookies.json --xss --payloads custom_xss_payloads.txt
5. Advanced: Proxy & Rate Limiting
To avoid detection, route traffic through Burp Suite or a proxy:
python3 xss0r.py --url https://mail.google.com --cookies gmail_cookies.json --proxy http://127.0.0.1:8080 --delay 2
– --delay: Adds a 2-second delay between requests.
6. Extracting Hidden Endpoints
After crawling, review the `results` directory for discovered URLs:
cat results/gmail_crawl.txt | grep "action="
7. Automating with Bash
For continuous monitoring, create a cron job:
0 cd /opt/xss0r && python3 xss0r.py --url https://mail.google.com --cookies /path/to/cookies.json --quiet >> /var/log/xss0r.log
8. Defensive Measures (For Admins)
To detect such crawling, monitor abnormal GET/POST requests:
Linux (iptables)
iptables -A INPUT -p tcp --dport 80 -m string --string "xss0r" --algo bm -j DROP
Windows (PowerShell)
Get-WinEvent -LogName "Microsoft-Windows-IIS-Log" | Where-Object { $_.Message -like "xss0r" }
What Undercode Say
xss0r is a game-changer for bug bounty hunters and penetration testers, allowing deep scanning of authenticated web apps. However, misuse can lead to account lockouts or legal consequences. Always obtain proper authorization before testing.
For defenders, monitoring cookie-based automation and rate-limiting suspicious crawlers is critical.
Expected Output:
- Discovered XSS vulnerabilities in authenticated Gmail paths.
- Logged endpoints in
results/gmail_crawl.txt. - Automated scanning via cron jobs for continuous security checks.
Prediction
As web apps move towards stricter authentication, tools like xss0r will evolve to bypass modern WAFs and fingerprinting techniques, making cookie-based scanning a standard in red-team operations.
URLs (if applicable):
References:
Reported By: Ibrahim Husi%C4%87 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
