================================================================ Changelog: XSSer v1.8.2 (https://xsser.03c8.net) ============================== ================= November 16, 2019: ================= - Ported to: Python3.x - Bugfixing - Added: Anti-antiXSS Firewall rules (Bypassers provided: SucuriWAF) - Modified/Updated GTK+ - Added Requirements - Updated Documentation - Updated Website ================= September 20, 2019: ================= - Re-factorized: Main(), Hashers, Payloaders, Reporters, Exporters... - Removed: deprecated features - Removed: --no-head (from default) - Added: new options: --check-tor, --auto-set, --auto-info and --auto-random - Added: new search engines: duck, startpage - Added: new dorks (Total: 40) - Added: Anti-antiXSS Firewall rules (Bypassers provided for: Firefox, IE, Opera, Chrome) - Modified/Updated: DCP (Data Control Protocol) method - Modified/Updated: HTTPrs (HTTP Response Splitting) injections - Modified/Updated: GTK+ - Modified/Updated: Crawler/Spidering - Updated: "Extra Attacks" (XSA, XSR, COOKIE) - Updated: Automatic XSS vectors list (Total: 1326 = XSS: 1293 + DCP: 16 + DOM: 6 + HTTPsr: 11) - Updated: XSSer tool updater - Updated: Documentation ================= April 12, 2018: ================= - Removed deprecated features (search engines, SSLv3...) - Fixed auto-update option ================= February 24, 2016: ================= - Removed deprecated features - Updated Automatic XSS vectors list (Total: 578 = XSS: 558 + DCP: 4 + DOM: 5 + HTTPsr: 11) - Added XST (Cross Site Tracing) - Advanced XSA (Cross Site Agent), XSR (Cross Site Referer) and Cookie Injection - Updated/Fixed Dorkering system (Search engines supported: duck, bing, google, yahoo, yandex) - Added Dorking from file (30 potential 'XSS dorks' provided) - Added Mass-Dorking (search with all search engines provided) - Added Discarding response method to evade false positives - Added Anti-antiXSS Firewall rules (Bypassers provided for: PHPIDS, Imperva, WebKnight, F5BigIP, Barracuda, Apache-Modsec, QuickDefense) - Added 'Wizard Helper' to shell mode - Updated XSSer tool updater - Updated 'Mana' system - Fixed Crawlering system - Added feature: 'Automatically audit an entire target" - Modified/Updated GTK+ - Added Requirements - Updated Documentation ================= November 28, 2011: ================= - Added Drop Cookie option - Added Random IP X-Forwarded-For an X-Client-IP option - Added GSS and NTLM authentication methods - Added Ignore proxy option - Added TCP-NODELAY option - Added Follow redirects option - Added Follow redirects limiter parameter - Added Auto-HEAD precheck system - Added No-HEAD option - Added Isalive option - Added Check at url option (Blind XSS) - Added Reverse Check parameter - Added PHPIDS (v.0.6.5) exploit - Added More vectors to auto-payloading - Added HTML5 studied vectors - Fixed Different bugs on core - Fixed Curl handlerer options - Fixed Dorkerers system - Fixed Bugs on results propagation - Fixed POST requests - Added New features to GTK controller - Added Detailed views to GTK interface ================= February 21, 2011: ================= - Added heuristic test - Updated dorkers list - HTTP Response Splitting Induced code - GTK+ interface - Geomapping - Multithreading workers - Test controllers - Added websockets technology (orbited) - Added update option - DoS (server) side injection - DCP/DOM/Induced final code - Code clean - Bugfixing - New options menu - More advanced statistics system ================= November 7, 2010: ================= - Added "final remote injections" option - Cross Flash Attack! - Cross Frame Scripting - Data Control Protocol Injections - Base64 (rfc2397) PoC - OnMouseMove PoC - Browser launcher - Code clean - Bugfixing - New options menu - Pre-check system - Crawler spidering clones - More advanced statistics system - "Mana" ouput results ================= September 22, 2010: ================= - Added a-xml exporter - ImageXSS - New dorker engines (total 10) - Core clean - Bugfixing - Social Networking auto-publisher - Started -federated- XSS (full disclosure) pentesting botnet http://identi.ca/xsserbot01 http://twitter.com/xsserbot01 ================= August 20, 2010: ================= - Added attack payloads to fuzzer (26 new injections) - POST - Statistics - URL Shorteners - IP Octal - Post-processing payloading - DOM Shadows! - Cookie injector - Browser DoS (Denegation of Service) ================= July 1, 2010: ================= - Dorking - Crawling - IP DWORD + Core clean ================= April 19, 2010: ================= - HTTPS implemented + patched bugs ================= March 22, 2010: ================= - Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer ================= March 18, 2010: ================= - Added attack payloads to fuzzer (62 different XSS injections) ================= March 16, 2010: ================= - Added new payload encoders to bypass filters