- Comprehensive Scanning: Tests URL parameters, POST parameters, headers, and DOM content for XSS vulnerabilities.
- Multiple Browser Support: Compatible with both Firefox and Chrome for testing.
- Headless Mode: Option to run scans in headless browser mode for faster & traditional execution.
- Concurrent Scanning: Utilises multi-threading for efficient scanning of multiple targets.
- Customizable: Supports custom headers, cookies, and payload files.
- Crawling Capability: Can crawl websites to discover and test additional pages.
- Detailed Reporting: Provides comprehensive output with color-coded console logs and optional file output.
- DOM XSS Detection: Advanced detection of DOM-based XSS vulnerabilities.
- Payload Customization: Automatically customises payloads with unique identifiers for accurate detection.
- URL parameter testing
- POST parameter analysis
- Header scanning
- DOM content examination
- External script analysis
- Crawling targets and depth control
- Custom payload support
- Accurate detection
pip install -r requirements.txt
python3 helios.py [target_url] [options]
python3 helios.py target.com -o output.txt --crawl
python3 helios.py -l targetlist.txt --payload-file xsspayloads.txt -o output.txt --crawl --headless --cookies "Name=abcdefg" --headers "X-Forwarded For: 127.0.0.1"
Use python helios.py --help
for a full list of options and usage instructions.
- Getting gud
- Enhance payload generation dependant on context of target
- Optimize performance for large-scale scans, current still kinda sucks at speed - but any faster seems to produce false negatives :(
Helios is currently in early stages of development. While it offers powerful scanning capabilities, users should be aware that it may contain bugs or limitations. Contributions and feedback are welcome to improve its functionality and reliability.
This tool is for educational and ethical testing purposes only. Always obtain proper authorization before scanning any web applications or networks you do not own or have explicit permission to test.
Created by @stuub