XSS is a commonly used vulnerability category that is very prevalent and easily detectable for XSS.
Cross-site Scripter (aka XSSer) is an automated system for finding, leveraging and reporting web-based vulnerabilities in XSS.
This provides several ways for trying to circumvent other filters and several different injection code techniques.
XSSer setup–XSS update
XSSer is operating on a number of platforms. Python and the following libraries are required:
- python-pycurl - Python bindings to libcurl - python-xmlbuilder - create xml/(x)html files - Python 2.x - python-beautifulsoup - error-tolerant HTML parser for Python - python-geoip - Python bindings for the GeoIP IP-to-country resolver library
To install on Debian-based systems
sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip
To list all the features XSSer Package “xsser -h”
root@kali:~# xsser -h
To launch a simple Injection attack
root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker”
Injection from Dork, by selecting “google” as search engine:
root@kali:~# xsser –De “google” -d “search.php?q=”
In this KaliLinux tutorial, a reverse link is formed to make multiple URL injections with automatic payload.
xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –auto –reverse-check -s
Simple URL Injection, using GET, injecting on Cookie and using DOM shadow
xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” -g “/path?vuln=” –Coo –Dom –Fp=”vulnerablescript”
Parameter filtering with heuristics
root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –heuristic
To Launch GUI Interface
root@kali:~# xsser –gtk
- Both GET and POST injections.
- Includes different filters and bypass techniques.
- The command line and GUI can be used respectively.
- Will give detailed details about the attack.
XSS Standard Defenses
- Which feedback do we have faith in?
- Does it stick to the patterns expected?
- Do not represent untrustworthy results.
- Even applicable for data in our database.
- Context (Java / attribute / HTML / CSS) encoding.