Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

This lesson offers step by step instructions in how to use XSSER to find XSS.

Video Transcription

00:04
and now we're going Thio, use X s s. Sir, we're gonna attempt to find cross site scripting with ex SS, sir.
00:12
And the command for that is ex SS
00:14
E R
00:15
Tech C 100. This number of pages we wantto crawl here.
00:21
Tak c w. It's upper case C lower case w equals four. That's the depth of Carl. How many links do you want to click now? If you were just type Xs Esser Taxi 100 not have that depth of crawler, it's not gonna work. The number of pages to crawl
00:41
and the depth of the crawler.
00:42
I need to be in the same command together or else it's not gonna work at all. Then you tell you, tack you
00:50
and then you put the Earl of your target there.
00:54
Where for? This is gonna be a target. I P address.
00:58
Let's go check it out.
01:03
So here we are, back in our Callie environments are gonna type X s e r.
01:10
Followed by taxi.
01:12
100
01:15
tak upper case c lowercase w equals four.
01:22
Attack you
01:23
and then
01:26
Well, 92
01:26
that 168
01:29
that zeroed out 11. And then we're gonna hit. Enter.
01:34
There seems to be some problem with my syntax here.
01:53
And it would be
01:56
Tak tak c w
02:00
ankles for where we go
02:06
now, the command is running successfully here.
02:10
For some reason,
02:14
we got back zero results
02:16
should not be the case here because we know that this page is vulnerable.
02:22
Stress command Again. I'll see what we get here.
02:25
There may be a
02:27
May have been just a hiccup.
02:31
Ah,
02:32
it's discarding the girl. So you have to take http Colon for such force Flash.
02:39
No, I enter
02:43
and there we go. Now it's run successfully.
02:52
All right. Scan is complete it
02:54
if we scroll up here.
02:55
Okay.
02:59
So the number of injections that were attempted was 34.
03:01
We have 21 failed
03:04
13 successful,
03:07
with an accuracy of 38%. So is telling us it's 38% sure here that, um But these links below
03:16
successfully
03:20
executed across a scripting vulnerability.
03:23
So you come down here
03:25
and you get
03:28
you target the injection. Would you used Method was crossing scripting and
03:34
the different browsers that
03:37
imitate it When it said the request. Now you can change these browsers. You can have a more robust and detailed
03:47
command for for ex assessor
03:50
to customize exactly how the skin is completely out of the scan is done.
03:57
Now,
03:58
if you have a a Web page that only responds to a certain type of browser, some businesses may do this because they want their their internal network only using a certain type of browser.
04:11
You would have to put this into into your command here.
04:20
And if you take excessive tak H,
04:25
it'll give you the help Paige here, and
04:28
you could see all the different types of ways that you can customize it. Now you want to change the user agent, which is the type of browser that you're coming from you would do tack tack, user agent equals. They would type in the type of agent that you want to be
04:50
that you want to see an active, verbose mode. So see what exactly it's dealing. Lad's doing it. You can add attack. You, too. It tak vy to it as well,
05:03
So there are a lot of different ways of customizing
05:10
these scans here for you.
05:12
All right, and let's move on

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
Raymond Evans
Instructor