XSSer – Automated Web Pentesting Platform Tool for XSS Vulnerability Identification and Exploitation

Mark Funk December 6, 2019

XSS is a commonly used vulnerability category that is very prevalent and easily detectable for XSS.

An attacker can insert untrusted JavaScript snippets without authorization into your program. The user who visits the target website then executes this JavaScript.

Cross-site Scripter (aka XSSer) is an automated system for finding, leveraging and reporting web-based vulnerabilities in XSS.

This provides several ways for trying to circumvent other filters and several different injection code techniques.

XSSer setup–XSS update

XSSer is operating on a number of platforms. Python and the following libraries are required:

- python-pycurl - Python bindings to libcurl
- python-xmlbuilder - create xml/(x)html files - Python 2.x
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library

To install on Debian-based systems

sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip

Usage

To list all the features XSSer Package “xsser -h”

root@kali:~# xsser -h

To launch a simple Injection attack

root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker”

Injection from Dork, by selecting “google” as search engine:

root@kali:~# xsser –De “google” -d “search.php?q=”

In this KaliLinux tutorial, a reverse link is formed to make multiple URL injections with automatic payload.

xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –auto –reverse-check -s

Simple URL Injection, using GET, injecting on Cookie and using DOM shadow

xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” -g “/path?vuln=” –Coo –Dom –Fp=”vulnerablescript”

Parameter filtering with heuristics

root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –heuristic

To Launch GUI Interface

root@kali:~# xsser –gtk

Core characteristics

Both GET and POST injections.
Includes different filters and bypass techniques.
The command line and GUI can be used respectively.
Will give detailed details about the attack.

XSS Standard Defenses

Which feedback do we have faith in?
Does it stick to the patterns expected?
Do not represent untrustworthy results.
Even applicable for data in our database.
Context (Java / attribute / HTML / CSS) encoding.

Mark Funk December 6, 2019

View More Posts

Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.