January 21, 2020

Use XSSer Automated Framework to Detect, Exploit and Report XSS Vulnerabilities

gurubaran
Share

XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable.

An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site.

Cross Site “Scripter” (aka XSSer) is an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.

It contains several options to try to bypass certain filters, and various special techniques of code injection.

Also Learn: XSSight – Automated XSS Scanner And Payload Injector

Installation

XSSer runs on many platforms. It requires Python and the following libraries:

- python-pycurl - Python bindings to libcurl- python-xmlbuilder - create xml/(x)html files - Python 2.x- python-beautifulsoup - error-tolerant HTML parser for Python- python-geoip - Python bindings for the GeoIP IP-to-country resolver library

To install on Debian-based systems

sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip

Usage

To list all the features XSSer Package xsser -h

root@kali:~# xsser -h

1xsserscan1

To launch a simple Injection attack

root@kali:~# xsser -u “https://192.168.169.130/xss/example1.php?name=hacker”

2xsserscan1
3xsserscan1-1

Injection from Dork, by selecting “google” as search engine:

root@kali:~# xsser –De “google” -d “search.php?q=”

4xsser2scan

To perform Multiple injections from URL, with automatic payload, establishing a reverse connection.

xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –auto –reverse-check -s

5xsserscan

Simple URL Injection, using GET, injecting on Cookie and using DOM shadow

xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” -g “/path?vuln=” –Coo –Dom –Fp=”vulnerablescript”

6xsserscan4-1
7xsserscan4-2
8xsserscan4-3

Parameter filtering with heuristics

root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –heuristic

9xsser5scan
10xsser5-1scan

To Launch GUI Interface

root@kali:~# xsser –gtk

You can also use TOR proxy with XSSer.

Key Features

  • Injection with both GET and POST methods.
  • Includes various filters and bypassing techniques.
  • can be used both with the command line and GUI.
  • Will provide detailed stats of the attack.

Common Defenses against XSS

  • What input do we trust?
  • Does it adhere to expected patterns?
  • Never simply reflect untrusted data.
  • Applies to data within our database too.
  • Encoding of context(Java/attribute/HTML/CSS).

You can find more Infosec resources, security news, and pen testing articles on https://gbhackers.com

Start learning with Cybrary

Create a free account

Related Posts

All Blogs
Building a Security Team
June 27, 2023

Digital Forensics and Incident Response: What It Is, When You Need It, and How to Implement It

A quick guide to digital forensics and incident response (DFIR): what it is, when it’s needed, how to implement a cutting-edge program, and how to develop DFIR skills on your team.

Read More
Building a Security Team
June 28, 2023

How to Build a Red Team

An overview of what a red team is (and isn’t), and practical tips on how to build a Red Team and develop offensive security skills in your team.

Read More
Tools & Applications
June 7, 2023

How to Make the Most of Blending Learning with Cybrary Live

Learn how to get the most from your cybersecurity training platform by blending on-demand learning with virtual, live courses led by industry experts.

Read More
News & Events
June 7, 2023

Introducing the New Cybrary Learner Experience

Cybrary is launching a key update to the Cybrary Learner experience to elevate hands-on learning and measurement as guiding tenets of Cybrary’s mission.

Read More