XSSer - Automate your XSS Injections!

[begood]

If you are aware, we posted about XSSPloit almost a year ago. Since then, we have bought to you tools like that and more every single month. Today, we bring to you XSSer!

Now, XSSer excites us as it is under active development. Also, it has more than 60 different XSS injections! In addition to that, like a true ninja tool, it also has encoders to bypass protection filters! It is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications. It contains several options to evade certain filters and various special techniques of code injection. It has been programmed in Python and so you can use it on any machine that supports Python.

We have tried to list the features of XSSer as under:

* Supports HTTP POST

* Support for Custom HTTP User-Agent header

* Cookie support

* HTTP Referer support

* HTTP Authentication type – Basic/Digest

* Proxy Support

* Different evasion techniques

* Custom XSS Payloads

* Other features such as default time out, connect re-tries, delay, etc.

It tries to evade security features by making use of the following:

* Using method String.FromCharCode()

* Using function Unescape()

* Using Hexadecimal encoding

* Using Hexadecimal encoding, with semicolons

* Using Decimal encoding

* Encodes fuzzing IP addresses in DWORD format

* Mix String.FromCharCode() and Unescape()

* Try Character Encoding mutations

* Try different custom XSS fuzzing vectors

* Try custom XSS Payloads

In addition to all of that, it supports code injection by means of Data Control Protocol injection, Document Object Model Cross-Site Scripting, Cross Site Agent Scripting, Cross Site Referer Scripting, Cross Frame Scripting! Also, you can set different different payloads, emulating all popular browsers like IE7, FireFox 2, etc.

A sample usage:

$ python XSSer.py -u "http://host.com" --proxy "http://127.0.0.1:8118" --Fuzz --Hex --verbose -w

This uses tor proxy, injecting payloads on character encoding in "Hexadecimal", with verbose output and saving results to file (XSSlist.dat), with fuzzing.

All in all a very good cross platform tool!

Download XSSer or Cross Site Scripter version 0.3a here.

XSSer: Automate your XSS Injections! ? PenTestIT

[SympleBoy22]

Am dat si eu acum cateva zile de el...este foarte bun.

Sa vezi acum cati xss-isti o sa apara pe forum...

[begood]

Am dat si eu acum cateva zile de el...este foarte bun.

Sa vezi acum cati xss-isti o sa apara pe forum...

own tah planet.

[vizitatoru123]

Mda dupa ce o postat careva SQLi Helper la "Show off" numa SQLi, toti postau SQLi-uri ca sa afirme ca ei l-au invatat pe Mitnick si pe altii. Acuma va urma XSS, pana va posta careva un alt tool automat de naiba stie ce si iata asa se vor afirma toti in lumea hackerilor.

[SympleBoy22]

Parca e mai cul sa cauti manual...

[vizitatoru123]

Parca e mai cul sa cauti manual...

Nu e neaparat vorba de cool, e vorba ca nu multi stiu sa faca astfel de atacuri manual si nici macar nu au habar cum obtin ei informatii din baza respectiva de date.

De XSS nici nu mai vorbesc.

Si nu, nu sunt impotriva acestori softuri, unu care stie sa faca astfel de atacuri manual poate sa le foloseasca, deoarece economiseste timp, dar nu orice pusti.

[alka2010]

Dap aici ai dreptate multi ne chinuim sa invatam scripturi ...

[begood]

August 20, 2010:

Stage 2: Added attack payloads to fuzzer (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).

July 1, 2010:

Stage 1: Dorking + Crawling + IP DWORD + Core clean.

April 19, 2010:

HTTPS implemented + patched bugs.

March 22, 2010:

Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.

March 18, 2010:

Added attack payloads to fuzzer (62 different XSS injections).

March 16, 2010:

Added new payload encoders to bypass filters.

XSSer: automatic tool for pentesting XSS attacks against different applications