Use XSSer Automated Framework to Detect, Exploit and Report XSS Vulnerabilities

May 9, 2017 | Views: 4983

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable.

An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site.

Cross Site “Scripter” (aka XSSer) is an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.

It contains several options to try to bypass certain filters, and various special techniques of code injection.

Also Learn: XSSight – Automated XSS Scanner And Payload Injector


XSSer runs on many platforms. It requires Python and the following libraries:

- python-pycurl - Python bindings to libcurl
- python-xmlbuilder - create xml/(x)html files - Python 2.x
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library

To install on Debian-based systems

sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip


To list all the features XSSer Package xsser -h

root@kali:~# xsser -h


To launch a simple Injection attack

root@kali:~# xsser -u “”

2xsserscan1 3xsserscan1-1Injection from Dork, by selecting “google” as search engine:

root@kali:~# xsser –De “google” -d “search.php?q=”


To perform Multiple injections from URL, with automatic payload, establishing a reverse connection.

xsser -u “” –auto –reverse-check -s


Simple URL Injection, using GET, injecting on Cookie and using DOM shadow

xsser -u “” -g “/path?vuln=” –Coo –Dom –Fp=”vulnerablescript”
6xsserscan4-1 7xsserscan4-2 8xsserscan4-3

Parameter filtering with heuristics

root@kali:~# xsser -u “” –heuristic

9xsser5scan 10xsser5-1scan

To Launch GUI Interface

root@kali:~# xsser –gtk

You can also use TOR proxy with XSSer.

Key Features

  • Injection with both GET and POST methods.
  • Includes various filters and bypassing techniques.
  • can be used both with the command line and GUI.
  • Will provide detailed stats of the attack.

Common Defenses against XSS

  • What input do we trust?
  • Does it adhere to expected patterns?
  • Never simply reflect untrusted data.
  • Applies to data within our database too.
  • Encoding of context(Java/attribute/HTML/CSS).

You can find more Infosec resources, security news, and pen testing articles on

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?