Part 6 - Discovering XSS
Video Activity
This lesson offers step by step instructions in how to use XSSER to find XSS.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson offers step by step instructions in how to use XSSER to find XSS.
Video Transcription
00:03
>> Now we're going to use XSSER.
00:03
We're going to attempt to find
00:03
cross-site scripting with XSSER.
00:03
The command for that is XSSER -C100.
00:03
That's number of pages we want to crawl here.
00:03
-Cw, that's uppercase C,
00:03
lowercase w equals 4.
00:03
That's the depth of crawl.
00:03
How many links do you want it to click?
00:03
Now, if you were just to type
00:03
XSSER -C100 and not
00:03
have that depth of crawler, it's not going to work.
00:03
The number of pages to crawl
00:03
>> and the depth of the crawler
00:03
>> need to be in the same command
00:03
together or else it's not going to work at all.
00:03
Then you type, -U,
00:03
and then you put the URL of your target there,
00:03
where for this it's going to be a target IP address.
00:03
Let's go check it out. Here we
00:03
are back in our Kali environment.
00:03
We're going to type XSSER,
00:03
followed by -C100,
00:03
-Cw equals 4,
00:03
-U and then
00:03
192.168.0.11 and then we're going to hit "Enter".
00:03
There seems to be some problem with my syntax here.
00:03
It will be -Cw equals 4. There we go.
00:03
Now the command is running successfully here.
00:03
For some reason,
00:03
we got back zero results,
00:03
which should not be the case here because we
00:03
know that this page is vulnerable.
00:03
Let's try this command again,
00:03
let's see what we get here.
00:03
It may have been just a hiccup.
00:03
It's discarding the URL.
00:03
You have to type HTTP://, now hit "Enter".
00:03
There we go. Now it's running successfully.
00:03
Scan is completed.
00:03
If we scroll up here,
00:03
see the number of injections that
00:03
>> were attempted was 34.
00:03
>> We have 21 failed,
00:03
13 successful with an accuracy of 38 percent.
00:03
It's telling us it's 38 percent sure
00:03
here that these links
00:03
below successfully
00:03
executed across a scripting vulnerability.
00:03
Then you'd come down here and you can get your target,
00:03
the injection that was used,
00:03
method was cross-site scripting,
00:03
and the different browsers
00:03
that imitate it when it sent the request.
00:03
Now, you can change these browsers.
00:03
You can have a more robust and detailed command for
00:03
XSSER to customize exactly how the scan is done.
00:03
Now, if you have a webpage
00:03
that only responds to a certain type of browser,
00:03
some businesses may do this because they want
00:03
their internal network only
00:03
using a certain type of browser,
00:03
you would have to put this into your command here.
00:03
If you type xsser -h,
00:03
it'll give you the help page here and you can
00:03
see all the different types of
00:03
ways that you can customize it.
00:03
Now, if you want to change the user agent,
00:03
which is the type of browser that you're coming from,
00:03
you would do --user agent
00:03
equals then you would type in
00:03
the type of agent that you wanted it to be.
00:03
If you wanted to see an active verbose mode,
00:03
so see what exactly it's doing while it's doing it,
00:03
you can add a -V to it as well.
00:03
There are a lot of different ways of
00:03
customizing these scans here for you. Let's move on.
Up Next
Instructed By
Similar Content
