# SSTI-XSS-Finder – Bash-Based Internet-Scale Scanner Using Shodan Dorks **Author:** [darklotuskdb](https://github.com/darklotuskdb) **Repository:** [https://github.com/darklotuskdb/SSTI-XSS-Finder](https://github.com/darklotuskdb/SSTI-XSS-Finder) **Platform:** Bash Shell (Linux/macOS/WSL) **Category:** Web Vulnerability Scanning, Bug Bounty Automation **Dependencies:** Shodan CLI, curl **License:** MIT --- ## Overview **SSTI-XSS-Finder** is a fully automated Bash-based tool designed to scan large swathes of internet-facing applications for **Server-Side Template Injection (SSTI)** and **Cross-Site Scripting (XSS)** vulnerabilities by leveraging the power of **Shodan Dorks**. Instead of requiring predefined targets or URLs, the tool uses Shodan’s search API to identify potentially vulnerable systems and probes them for reflected or evaluated payloads. This project offers a powerful edge to bug bounty hunters and red teamers conducting wide-scope vulnerability reconnaissance across specific organizations, networks, or technologies. --- ## What Are SSTI and XSS? ### 🔥 Server-Side Template Injection (SSTI) As described by [OWASP](https://owasp.org/www-community/Server-Side_Template_Injection), SSTI vulnerabilities occur when unsanitized user input is processed by a backend template engine. This may allow an attacker to inject template syntax that executes arbitrary code on the server. SSTIs are particularly dangerous due to their potential to escalate into full Remote Code Execution (RCE). **Example Payloads:** - `{{7*7}}` (Jinja2 → evaluates to `49`) - `${7*7}` (Spring, Java-based engines) - `` (ERB, JSP) ### 💥 Cross-Site Scripting (XSS) According to [OWASP](https://owasp.org/www-community/attacks/xss), XSS vulnerabilities occur when attackers inject malicious scripts into web pages viewed by others. This can lead to session hijacking, credential theft, or redirection to malicious content. **Common XSS Payloads:** - `alert(1)` - `">` --- ## How the Tool Works **SSTI-XSS-Finder** automates the following process: 1. Accepts a **Shodan Dork** (e.g., `org:"Target Corp"` or `hostname:target.com`) as input. 2. Uses the **Shodan CLI** to enumerate public-facing HTTP(S) services matching the dork. 3. Injects a curated list of SSTI and XSS payloads into discovered URLs using `curl`. 4. Analyzes HTTP responses for signs of: - SSTI evaluation (e.g., response contains `49`) - XSS reflection (e.g., script appears in response) 5. Logs all positively matched endpoints to output files for post-processing. --- ## Features - 🌍 Internet-wide scanning using Shodan dorks - 🧪 SSTI and XSS payload fuzzing with response validation - 📜 Written entirely in Bash – lightweight and portable - ✅ Fully automated: from discovery to exploitation attempt - 📁 Result output in organized logs (`xss_results.txt`, `ssti_results.txt`) --- ## Installation ```bash git clone https://github.com/darklotuskdb/SSTI-XSS-Finder cd SSTI-XSS-Finder chmod +x SSTI-XSS-Finder.sh ``` Install [Shodan CLI](https://cli.shodan.io) and authenticate it: ```bash pip install shodan shodan init ``` Ensure `curl` is installed (`sudo apt install curl` if needed). --- ## Usage ```bash ./SSTI-XSS-Finder.sh ``` ### Examples: ```bash ./SSTI-XSS-Finder.sh org:"Target Corp" ./SSTI-XSS-Finder.sh hostname:example.com ./SSTI-XSS-Finder.sh net:192.168.0.0/16 ``` The script will: - Search for matching HTTP services on Shodan. - Inject payloads into accessible URLs. - Detect potential XSS/SSTI reflection or evaluation. - Save findings in `xss_results.txt` and `ssti_results.txt`. --- ## Payloads Used ### SSTI Payloads: - `{{7*7}}` - `${7*7}` - `` ### XSS Payloads: - `alert(1)` - `` - `">` You can extend or modify payloads by editing the script. --- ## Output - `xss_results.txt` – List of URLs vulnerable or reflecting XSS payloads - `ssti_results.txt` – List of URLs evaluating or reflecting SSTI payloads Each entry contains the tested URL and matched payload. --- ## Use Cases - 🔍 Bug bounty automation across large scopes - 🎯 Reconnaissance against specific targets using Shodan filters - 🛠️ Security research into exposed web apps - 🧪 Fast triaging of vulnerable hosts before deeper exploitation --- ## Limitations - Only supports GET requests (no form or JSON body injection). - May generate false positives from partial reflections. - Not designed for authenticated scanning or dynamic JS-based analysis. - Dependent on Shodan’s availability and your API quota. --- ## Conclusion **SSTI-XSS-Finder** is a practical and efficient tool for large-scale web vulnerability scanning using real-time Shodan intelligence. By blending Bash automation, Shodan enumeration, and injection payloads, it offers a powerful edge in discovering overlooked SSTI and XSS flaws across the internet. Whether for bug bounty reconnaissance or enterprise perimeter testing, SSTI-XSS-Finder brings automation, speed, and coverage to web vulnerability hunting. --- ## References - GitHub Repository: [https://github.com/darklotuskdb/SSTI-XSS-Finder](https://github.com/darklotuskdb/SSTI-XSS-Finder) - OWASP SSTI: [https://owasp.org/www-community/Server-Side_Template_Injection](https://owasp.org/www-community/Server-Side_Template_Injection) - OWASP XSS: [https://owasp.org/www-community/attacks/xss](https://owasp.org/www-community/attacks/xss) - Shodan CLI: [https://cli.shodan.io](https://cli.shodan.io) ```

Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

SSTI-XSS-Finder

NikolasHume

SSTI-XSS-Finder – Bash-Based Internet-Scale Scanner Using Shodan Dorks

Author: darklotuskdb
Repository: https://github.com/darklotuskdb/SSTI-XSS-Finder
Platform: Bash Shell (Linux/macOS/WSL)
Category: Web Vulnerability Scanning, Bug Bounty Automation
Dependencies: Shodan CLI, curl
License: MIT

Overview

SSTI-XSS-Finder is a fully automated Bash-based tool designed to scan large swathes of internet-facing applications for Server-Side Template Injection (SSTI) and Cross-Site Scripting (XSS) vulnerabilities by leveraging the power of Shodan Dorks. Instead of requiring predefined targets or URLs, the tool uses Shodan’s search API to identify potentially vulnerable systems and probes them for reflected or evaluated payloads.

This project offers a powerful edge to bug bounty hunters and red teamers conducting wide-scope vulnerability reconnaissance across specific organizations, networks, or technologies.

What Are SSTI and XSS?

🔥 Server-Side Template Injection (SSTI)

As described by OWASP, SSTI vulnerabilities occur when unsanitized user input is processed by a backend template engine. This may allow an attacker to inject template syntax that executes arbitrary code on the server. SSTIs are particularly dangerous due to their potential to escalate into full Remote Code Execution (RCE).

Example Payloads:

{{7*7}} (Jinja2 → evaluates to 49)
${7*7} (Spring, Java-based engines)
<%= 7*7 %> (ERB, JSP)

💥 Cross-Site Scripting (XSS)

According to OWASP, XSS vulnerabilities occur when attackers inject malicious scripts into web pages viewed by others. This can lead to session hijacking, credential theft, or redirection to malicious content.

Common XSS Payloads:

<script>alert(1)</script>
"><img src=x onerror=alert(1)>

How the Tool Works

SSTI-XSS-Finder automates the following process:

Accepts a Shodan Dork (e.g., org:"Target Corp" or hostname:target.com) as input.
Uses the Shodan CLI to enumerate public-facing HTTP(S) services matching the dork.
Injects a curated list of SSTI and XSS payloads into discovered URLs using curl.
Analyzes HTTP responses for signs of:
- SSTI evaluation (e.g., response contains 49)
- XSS reflection (e.g., script appears in response)
Logs all positively matched endpoints to output files for post-processing.

Features

🌍 Internet-wide scanning using Shodan dorks
🧪 SSTI and XSS payload fuzzing with response validation
📜 Written entirely in Bash – lightweight and portable
✅ Fully automated: from discovery to exploitation attempt
📁 Result output in organized logs (xss_results.txt, ssti_results.txt)

Installation

git clone https://github.com/darklotuskdb/SSTI-XSS-Finder
cd SSTI-XSS-Finder
chmod +x SSTI-XSS-Finder.sh

Install Shodan CLI and authenticate it:

pip install shodan
shodan init <YOUR_SHODAN_API_KEY>

Ensure curl is installed (sudo apt install curl if needed).

Usage

./SSTI-XSS-Finder.sh <Shodan-Dork>

Examples:

./SSTI-XSS-Finder.sh org:"Target Corp"
./SSTI-XSS-Finder.sh hostname:example.com
./SSTI-XSS-Finder.sh net:192.168.0.0/16

The script will:

Search for matching HTTP services on Shodan.
Inject payloads into accessible URLs.
Detect potential XSS/SSTI reflection or evaluation.
Save findings in xss_results.txt and ssti_results.txt.

Payloads Used

SSTI Payloads:

{{7*7}}
${7*7}
<%= 7*7 %>

XSS Payloads:

<script>alert(1)</script>
<img src=x onerror=alert(1)>
"><svg/onload=confirm(1)>

You can extend or modify payloads by editing the script.

Output

xss_results.txt – List of URLs vulnerable or reflecting XSS payloads
ssti_results.txt – List of URLs evaluating or reflecting SSTI payloads

Each entry contains the tested URL and matched payload.

Use Cases

🔍 Bug bounty automation across large scopes
🎯 Reconnaissance against specific targets using Shodan filters
🛠️ Security research into exposed web apps
🧪 Fast triaging of vulnerable hosts before deeper exploitation

Limitations

Only supports GET requests (no form or JSON body injection).
May generate false positives from partial reflections.
Not designed for authenticated scanning or dynamic JS-based analysis.
Dependent on Shodan’s availability and your API quota.

Conclusion

SSTI-XSS-Finder is a practical and efficient tool for large-scale web vulnerability scanning using real-time Shodan intelligence. By blending Bash automation, Shodan enumeration, and injection payloads, it offers a powerful edge in discovering overlooked SSTI and XSS flaws across the internet.

Whether for bug bounty reconnaissance or enterprise perimeter testing, SSTI-XSS-Finder brings automation, speed, and coverage to web vulnerability hunting.

References

GitHub Repository: https://github.com/darklotuskdb/SSTI-XSS-Finder
OWASP SSTI: https://owasp.org/www-community/Server-Side_Template_Injection
OWASP XSS: https://owasp.org/www-community/attacks/xss
Shodan CLI: https://cli.shodan.io

📱

Download Now—Top Software, No Cost!