Home Explore Help
Sign In
epsylon
/
xsser
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0
Tree: ef8e8c3f4c
Branches Tags
xsser
/
xsser
/
doc
/
README

README 8.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 
  1. ================================================================
    2. 

  2. Introduction:
    3. 

  3. ==============================
    4. 

  4. 

  5. Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
    6. 

  6. 

  7. It contains several options to try to bypass certain filters, and various special techniques of code injection.
    8. 

  8. 

  9. ================================================================
    10. 

  10. Options and features:
    11. 

  11. ==============================
    12. 

  12.  
    13. 

  13. xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]
    14. 

  14. [Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}
    15. 

  15. 

  16. Cross Site "Scripter" is an automatic -framework- to detect, exploit and
    17. 

  17. report XSS vulnerabilities in web-based applications.
    18. 

  18. 

  19. Options:
    20. 

  20.   --version             show program's version number and exit
    21. 

  21.   -h, --help            show this help message and exit
    22. 

  22.   -s, --statistics      show advanced statistics output results
    23. 

  23.   -v, --verbose         active verbose mode output results
    24. 

  24.   --gtk                 launch XSSer GTK Interface
    25. 

  25.   --wizard              start Wizard Helper!
    26. 

  26. 

  27.   *Special Features*:
    28. 

  28.     You can set Vector(s) and Bypasser(s) to build complex scripts for XSS
    29. 

  29.     code embedded. XST allows you to discover if target is vulnerable to
    30. 

  30.     'Cross Site Tracing' [CAPEC-107]:
    31. 

  31. 

  32.     --imx=IMX           IMX - Create an image with XSS (--imx image.png)
    33. 

  33.     --fla=FLASH         FLA - Create a flash movie with XSS (--fla movie.swf)
    34. 

  34.     --xst=XST           XST - Cross Site Tracing (--xst http(s)://host.com)
    35. 

  35. 

  36.   *Select Target(s)*:
    37. 

  37.     At least one of these options must to be specified to set the source
    38. 

  38.     to get target(s) urls from:
    39. 

  39. 

  40.     --all=TARGET        Automatically audit an entire target
    41. 

  41.     -u URL, --url=URL   Enter target to audit
    42. 

  42.     -i READFILE         Read target(s) urls from file
    43. 

  43.     -d DORK             Search target(s) using a query (ex: 'news.php?id=')
    44. 

  44.     -l                  Search from a list of 'dorks'
    45. 

  45.     --De=DORK_ENGINE    Use this search engine (default: yahoo)
    46. 

  46.     --Da                Search massively using all search engines
    47. 

  47. 

  48.   *Select type of HTTP/HTTPS Connection(s)*:
    49. 

  49.     These options can be used to specify which parameter(s) we want to use
    50. 

  50.     as payload(s). Set 'XSS' as keyword on the place(s) that you want to
    51. 

  51.     inject:
    52. 

  52. 

  53.     -g GETDATA          Send payload using GET (ex: '/menu.php?id=3&q=XSS')
    54. 

  54.     -p POSTDATA         Send payload using POST (ex: 'foo=1&bar=XSS')
    55. 

  55.     -c CRAWLING         Number of urls to crawl on target(s): 1-99999
    56. 

  56.     --Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5 (default 3)
    57. 

  57.     --Cl                Crawl only local target(s) urls (default TRUE)
    58. 

  58. 

  59.   *Configure Request(s)*:
    60. 

  60.     These options can be used to specify how to connect to the target(s)
    61. 

  61.     payload(s). You can choose multiple:
    62. 

  62. 

  63.     --cookie=COOKIE     Change your HTTP Cookie header
    64. 

  64.     --drop-cookie       Ignore Set-Cookie header from response
    65. 

  65.     --user-agent=AGENT  Change your HTTP User-Agent header (default SPOOFED)
    66. 

  66.     --referer=REFERER   Use another HTTP Referer header (default NONE)
    67. 

  67.     --xforw             Set your HTTP X-Forwarded-For with random IP values
    68. 

  68.     --xclient           Set your HTTP X-Client-IP with random IP values
    69. 

  69.     --headers=HEADERS   Extra HTTP headers newline separated
    70. 

  70.     --auth-type=ATYPE   HTTP Authentication type (Basic, Digest, GSS or NTLM)
    71. 

  71.     --auth-cred=ACRED   HTTP Authentication credentials (name:password)
    72. 

  72.     --proxy=PROXY       Use proxy server (tor: http://localhost:8118)
    73. 

  73.     --ignore-proxy      Ignore system default HTTP proxy
    74. 

  74.     --timeout=TIMEOUT   Select your timeout (default 30)
    75. 

  75.     --retries=RETRIES   Retries when the connection timeouts (default 1)
    76. 

  76.     --threads=THREADS   Maximum number of concurrent HTTP requests (default 5)
    77. 

  77.     --delay=DELAY       Delay in seconds between each HTTP request (default 0)
    78. 

  78.     --tcp-nodelay       Use the TCP_NODELAY option
    79. 

  79.     --follow-redirects  Follow server redirection responses (302)
    80. 

  80.     --follow-limit=FLI  Set limit for redirection requests (default 50)
    81. 

  81. 

  82.   *Checker Systems*:
    83. 

  83.     These options are useful to know if your target is using filters
    84. 

  84.     against XSS attacks:
    85. 

  85. 

  86.     --hash              send a hash to check if target is repeating content
    87. 

  87.     --heuristic         discover parameters filtered by using heuristics
    88. 

  88.     --discode=DISCODE   set code on reply to discard an injection
    89. 

  89.     --checkaturl=ALT    check reply using: alternative url -> Blind XSS
    90. 

  90.     --checkmethod=ALTM  check reply using: GET or POST (default: GET)
    91. 

  91.     --checkatdata=ALD   check reply using: alternative payload
    92. 

  92.     --reverse-check     establish a reverse connection from target to XSSer to
    93. 

  93.                         certify that is 100% vulnerable (recommended!)
    94. 

  94. 

  95.   *Select Vector(s)*:
    96. 

  96.     These options can be used to specify injection(s) code. Important if
    97. 

  97.     you don't want to inject a common XSS vector used by default. Choose
    98. 

  98.     only one option:
    99. 

  99. 

  100.     --payload=SCRIPT    OWN  - Inject your own code
    101. 

  101.     --auto              AUTO - Inject a list of vectors provided by XSSer
    102. 

  102. 

  103.   *Anti-antiXSS Firewall rules*:
    104. 

  104.     These options can be used to try to bypass specific WAF/IDS products.
    105. 

  105.     Choose only if required:
    106. 

  106. 

  107.     --Phpids0.6.5       PHPIDS (0.6.5) [ALL]
    108. 

  108.     --Phpids0.7         PHPIDS (0.7) [ALL]
    109. 

  109.     --Imperva           Imperva Incapsula [ALL]
    110. 

  110.     --Webknight         WebKnight (4.1) [Chrome]
    111. 

  111.     --F5bigip           F5 Big IP [Chrome + FF + Opera]
    112. 

  112.     --Barracuda         Barracuda WAF [ALL]
    113. 

  113.     --Modsec            Mod-Security [ALL]
    114. 

  114.     --Quickdefense      QuickDefense [Chrome]
    115. 

  115. 

  116.   *Select Bypasser(s)*:
    117. 

  117.     These options can be used to encode vector(s) and try to bypass
    118. 

  118.     possible anti-XSS filters. They can be combined with other techniques:
    119. 

  119. 

  120.     --Str               Use method String.FromCharCode()
    121. 

  121.     --Une               Use Unescape() function
    122. 

  122.     --Mix               Mix String.FromCharCode() and Unescape()
    123. 

  123.     --Dec               Use Decimal encoding
    124. 

  124.     --Hex               Use Hexadecimal encoding
    125. 

  125.     --Hes               Use Hexadecimal encoding with semicolons
    126. 

  126.     --Dwo               Encode IP addresses with DWORD
    127. 

  127.     --Doo               Encode IP addresses with Octal
    128. 

  128.     --Cem=CEM           Set different 'Character Encoding Mutations'
    129. 

  129.                         (reversing obfuscators) (ex: 'Mix,Une,Str,Hex')
    130. 

  130. 

  131.   *Special Technique(s)*:
    132. 

  132.     These options can be used to inject code using different XSS
    133. 

  133.     techniques. You can choose multiple:
    134. 

  134. 

  135.     --Coo               COO - Cross Site Scripting Cookie injection
    136. 

  136.     --Xsa               XSA - Cross Site Agent Scripting
    137. 

  137.     --Xsr               XSR - Cross Site Referer Scripting
    138. 

  138.     --Dcp               DCP - Data Control Protocol injections
    139. 

  139.     --Dom               DOM - Document Object Model injections
    140. 

  140.     --Ind               IND - HTTP Response Splitting Induced code
    141. 

  141.     --Anchor            ANC - Use Anchor Stealth payloader (DOM shadows!)
    142. 

  142. 

  143.   *Select Final injection(s)*:
    144. 

  144.     These options can be used to specify the final code to inject on
    145. 

  145.     vulnerable target(s). Important if you want to exploit 'on-the-wild'
    146. 

  146.     the vulnerabilities found. Choose only one option:
    147. 

  147. 

  148.     --Fp=FINALPAYLOAD   OWN    - Exploit your own code
    149. 

  149.     --Fr=FINALREMOTE    REMOTE - Exploit a script -remotely-
    150. 

  150.     --Doss              DOSs   - XSS (server) Denial of Service
    151. 

  151.     --Dos               DOS    - XSS (client) Denial of Service
    152. 

  152.     --B64               B64    - Base64 code encoding in META tag (rfc2397)
    153. 

  153. 

  154.   *Special Final injection(s)*:
    155. 

  155.     These options can be used to execute some 'special' injection(s) on
    156. 

  156.     vulnerable target(s). You can select multiple and combine them with
    157. 

  157.     your final code (except with DCP code):
    158. 

  158. 

  159.     --Onm               ONM - Use onMouseMove() event
    160. 

  160.     --Ifr               IFR - Use <iframe> source tag
    161. 

  161. 

  162.   *Reporting*:
    163. 

  163.     --save              export to file (XSSreport.raw)
    164. 

  164.     --xml=FILEXML       export to XML (--xml file.xml)
    165. 

  165. 

  166.   *Miscellaneous*:
    167. 

  167.     --silent            inhibit console output results
    168. 

  168.     --no-head           NOT send a HEAD request before start a test
    169. 

  169.     --alive=ISALIVE     set limit of errors before check if target is alive
    170. 

  170.     --update            check for latest stable version
    171. 

  171. 

  172.