Hey guys, today we will learn some cool tricks of XSS attacks. First we need to know about XSS.
XSS:
Cross Site Scripting (XSS), it is a type of web application attack that enables attackers to inject client-side script into Web pages viewed by other users. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.
There are many scripts available to test the XSS in any website. You can also get the cheat sheet of XSS from here.
But we are here to learn about XSSer tool to test the XSS with advance skills.
Here is the information:
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based aplications.It contains several options to try to bypass certain filters, and various special techniques of code injection.
*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this extra special features:
*Select Target(s)*:
At least one of these options has to be specified to set the source to get target(s) urls from.
You need to choose to run XSSer:
*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use like payload to inject code.
*Configure Request(s)*:
These options can be used to specify how to connect to target(s) payload(s).
You can select multiple:
*Select Vector(s)*:
These options can be used to specify a XSS vector source code to inject in each payload.
Important, if you don't want to try to inject a common XSS vector, used by default.
Choose only one option:
*Select Bypasser(s)*:
These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on target(s) code and some IPS rules, if the target use it.
Also, can be combined with other techniques to provide encoding:
*Special Technique(s)*:
These options can be used to try to inject code using different type of XSS techniques. You can select multiple:
*Select Final injection(s)*:
These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities.
Choose only one option:
*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select multiple and combine with your final code (except with DCP code):
*Miscellaneous*:
XSS:
Cross Site Scripting (XSS), it is a type of web application attack that enables attackers to inject client-side script into Web pages viewed by other users. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.
There are many scripts available to test the XSS in any website. You can also get the cheat sheet of XSS from here.
But we are here to learn about XSSer tool to test the XSS with advance skills.
Here is the information:
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based aplications.It contains several options to try to bypass certain filters, and various special techniques of code injection.
Usage
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]
Options:
Options:
| --version | show program's version number and exit |
| -h, --help | show this help message and exit |
| -s, --statistics | show advanced statistics output results |
| -v, --verbose | verbose (default: no) |
| --gtk | launch XSSer GTK Interface |
*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this extra special features:
| --imx=IMX | create a false image with XSS code embedded |
| --fla=FLASH | create a false .swf file with XSS code embedded |
*Select Target(s)*:
At least one of these options has to be specified to set the source to get target(s) urls from.
You need to choose to run XSSer:
| -u URL, --url=URL | Enter target(s) to audit |
| -i READFILE | Read target URLs from a file |
| -d DORK | Process search engine dork results as target urls |
| --De=DORK_ENGINE | Search engine to use for dorking (bing, altavista, yahoo, baidu, yandex, youdao, webcrawler, ask, etc. See dork.py file to check for available engines) |
*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use like payload to inject code.
| -g GETDATA | Enter payload to audit using GET. (ex: '/menu.php?q=') |
| -p POSTDATA | Enter payload to audit using POST. (ex: 'foo=1&bar=') |
| -c CRAWLING | Number of urls to crawl on target(s): 1-99999 |
| --Cw=CRAWLING_WIDTH | Deeping level of crawler: 1-5 |
| --Cl | Crawl only local target(s) urls (default TRUE) |
*Configure Request(s)*:
These options can be used to specify how to connect to target(s) payload(s).
You can select multiple:
| --cookie=COOKIE | Change your HTTP Cookie header |
| --user-agent=AGENT | Change your HTTP User-Agent header (default SPOOFED) |
| --referer=REFERER | Use another HTTP Referer header (default NONE) |
| --headers=HEADERS | Extra HTTP headers newline separated |
| --auth-type=ATYPE | HTTP Authentication type (value Basic or Digest) |
| --auth-cred=ACRED | HTTP Authentication credentials (value name:password) |
| --proxy=PROXY | Use proxy server (tor: http://localhost:8118) |
| --timeout=TIMEOUT | Select your Timeout (default 30) |
| --delay=DELAY | Delay in seconds between each HTTP request (default 8) |
| --threads=THREADS | Maximum number of concurrent HTTP requests (default 5) |
| --retries=RETRIES | Retries when the connection timeouts (default 3) |
*Select Vector(s)*:
These options can be used to specify a XSS vector source code to inject in each payload.
Important, if you don't want to try to inject a common XSS vector, used by default.
Choose only one option:
| --payload=SCRIPT | OWN - Insert your XSS construction -manually- |
| --auto | AUTO - Insert XSSer 'reported' vectors from file |
*Select Bypasser(s)*:
These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on target(s) code and some IPS rules, if the target use it.
Also, can be combined with other techniques to provide encoding:
| --Str | Use method String.FromCharCode() |
| --Une | Use function Unescape() |
| --Mix | Mix String.FromCharCode() and Unescape() |
| --Dec | Use Decimal encoding |
| --Hex | Use Hexadecimal encoding |
| --Hes | Use Hexadecimal encoding, with semicolons |
| --Dwo | Encode vectors IP addresses in DWORD |
| --Doo | Encode vectors IP addresses in Octal |
| --Cem | Try -manually- different Character Encoding mutations (reverse obfuscation: good) -> (ex:'Mix,Une,Str,Hex') |
*Special Technique(s)*:
These options can be used to try to inject code using different type of XSS techniques. You can select multiple:
| --Coo | COO - Cross Site Scripting Cookie injection |
| --Xsa | XSA - Cross Site Agent Scripting |
| --Xsr | XSR - Cross Site Referer Scripting |
| --Dcp | DCP - Data Control Protocol injections |
| --Dom | DOM - Use Anchor Stealth (DOM shadows!) |
| --Ind | IND - HTTP Response Splitting Induced code |
| --Anchor | ANC - Use Anchor Stealth payloader (DOM shadows!) |
*Select Final injection(s)*:
These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities.
Choose only one option:
| --Fp=FINALPAYLOAD | OWN - Insert your final code to inject -manually- |
| --Fr=FINALREMOTE | REMOTE - Insert your final code to inject -remotelly- |
| --Doss | DOSs - XSS Denial of service (server) injection |
| --Dos | DOS - XSS Denial of service (client) injection |
| --B64 | B64 - Base64 code encoding in META tag (rfc2397) |
*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select multiple and combine with your final code (except with DCP code):
| --Onm | ONM - Use onMouseMove() event to inject code |
| --Ifr | IFR - Use "iframe" source tag to inject code |
*Miscellaneous*:
| --silent | inhibit console output results |
| --update | check for XSSer latest stable version |
| --save | output all results directly to template (XSSlist.dat) |
| --xml=FILEXML | output 'positives' to aXML file (--xml filename.xml) |
| --publish | output 'positives' to Social Networks (identi.ca) |
| --short=SHORTURLS | display -final code- shortered (tinyurl, is.gd) |
| --launch | launch a browser at the end with each XSS discovered |
I know that some people won't understand this...for them, I have an another post.
"Examples of XSSER"
"Examples of XSSER"
