Jump to content
begood

XSSer - Automate your XSS Injections!

Recommended Posts

2a9yypy.png

If you are aware, we posted about XSSPloit almost a year ago. Since then, we have bought to you tools like that and more every single month. Today, we bring to you XSSer!

Now, XSSer excites us as it is under active development. Also, it has more than 60 different XSS injections! In addition to that, like a true ninja tool, it also has encoders to bypass protection filters! It is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications. It contains several options to evade certain filters and various special techniques of code injection. It has been programmed in Python and so you can use it on any machine that supports Python.

We have tried to list the features of XSSer as under:

* Supports HTTP POST

* Support for Custom HTTP User-Agent header

* Cookie support

* HTTP Referer support

* HTTP Authentication type – Basic/Digest

* Proxy Support

* Different evasion techniques

* Custom XSS Payloads

* Other features such as default time out, connect re-tries, delay, etc.

It tries to evade security features by making use of the following:

* Using method String.FromCharCode()

* Using function Unescape()

* Using Hexadecimal encoding

* Using Hexadecimal encoding, with semicolons

* Using Decimal encoding

* Encodes fuzzing IP addresses in DWORD format

* Mix String.FromCharCode() and Unescape()

* Try Character Encoding mutations

* Try different custom XSS fuzzing vectors

* Try custom XSS Payloads

In addition to all of that, it supports code injection by means of Data Control Protocol injection, Document Object Model Cross-Site Scripting, Cross Site Agent Scripting, Cross Site Referer Scripting, Cross Frame Scripting! Also, you can set different different payloads, emulating all popular browsers like IE7, FireFox 2, etc.

A sample usage:

$ python XSSer.py -u "http://host.com" --proxy "http://127.0.0.1:8118" --Fuzz --Hex --verbose -w

This uses tor proxy, injecting payloads on character encoding in "Hexadecimal", with verbose output and saving results to file (XSSlist.dat), with fuzzing.

All in all a very good cross platform tool!

Download XSSer or Cross Site Scripter version 0.3a here.

XSSer: Automate your XSS Injections! ? PenTestIT

Link to comment
Share on other sites

Parca e mai cul sa cauti manual...

Nu e neaparat vorba de cool, e vorba ca nu multi stiu sa faca astfel de atacuri manual si nici macar nu au habar cum obtin ei informatii din baza respectiva de date.

De XSS nici nu mai vorbesc.

Si nu, nu sunt impotriva acestori softuri, unu care stie sa faca astfel de atacuri manual poate sa le foloseasca, deoarece economiseste timp, dar nu orice pusti.

Link to comment
Share on other sites

August 20, 2010:

Stage 2: Added attack payloads to fuzzer (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).

July 1, 2010:

Stage 1: Dorking + Crawling + IP DWORD + Core clean.

April 19, 2010:

HTTPS implemented + patched bugs.

March 22, 2010:

Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.

March 18, 2010:

Added attack payloads to fuzzer (62 different XSS injections).

March 16, 2010:

Added new payload encoders to bypass filters.

XSSer: automatic tool for pentesting XSS attacks against different applications

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...