Jump to content
me.mello

Detecting and Exploiting XSS Injections using XSSer Tool

Recommended Posts

Posted

Author: Punter

About XSSer Tool

XSSer http://xsser.sourceforge.net/ is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections in any website.

In this introductory article I will show you how easy to use the XSSer for Detection and Exploitation of XSS in a vulnerable website.

In action with XSSer

Here we will experiment this tool on following test vulnerable website, acuforum forums

Below are simple steps on using XSSer.


root@punter:/pentest/web# $ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser

root@punter:/pentest/web# cd xsser

root@punter:/pentest/web/xsser# python XSSer.py -u 'http://testasp.vulnweb.com' -g 'Search.asp?tfSearch='
-proxy 'http://127.0.0.1:8118? -referer '666.666.666.666? -user-agent 'correct audit' -Fuzz -s

XSSer Action Screenshots

After you execute above sequence of commands you can see the results as shown in the sequence of screenshots below.

Screenshot 1: Testing the vulnerable website for XSS Injections using XSSer

xss1.jpg

Screenshot 2: Testing the vulnerable website for XSS Injections using XSSer [Continued]

xss2.jpg

Screenshot 3: Final results of XSS Detection operation. You can see that XSSer has already found couple of XSS flaws in our test website.

xss3.jpg

Exploitation of XSS Injections

In the above screenshot, the text marked in blue indicates attack vector which can trigger XSS Injections on this website.

Now we can go ahead and manually verfy these injections and it does not take long.

Below is the screenshot showing successful exploitation of detected XSS Injection.

xss5.jpg

Conclusion

This article shows how easy to use XSSer tool to detect those hidden XSS flaws in any website using very simple steps. You can rest your brain for the time being while XSSer does all the job for you.

Download XSSer: http://xsser.sourceforge.net/ >:D<

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...