Revision as of 06:35, 29 April 2013 by Epsylon (Talk | contribs)

Jump to: navigation, search

OWASP XSSer Project
Web application vulnerability scanner / Security auditor
Project Name XSSer: The Cross Site Scripting Framework
Short Project Description

Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.

Key Project Information Project Leader
Next Version
Mailing List
Subscribe - Use
Project Type
Pentesting tool
NLNet Awards
OWASP tool
Release Status Main Links Related Documentation
v1.6b - "Grey Swarm" SF Website
Code Releases
Paper: 'XSS for fun and profit':
English - Spanish

GSoC 2013 Proposal

OWASP XSSer Project Ideas

Students presentations, questions and more: Mailing list archive: GSoC13 thread

Proposals 'on stage':

Current Version

XSSer v1.6b ("The Mosquito: Grey Swarm!")

Xsser-greyswarm sm.png
[+ Click for Zoom]

This version include more features on the GTK+ interface:

Xsser-greyswarm-donate sm.png
[+ Click for Zoom]

Xsser-greyswarm-map sm.png
[+ Click for Zoom]

Xsser-greyswarm-check sm.png
[+ Click for Zoom]

Xsser-greyswarm-conn sm.png
[+ Click for Zoom]

TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu Xssericon 32x32.png


XSSer runs on many platforms. It requires Python and the following libraries:

- python-pycurl - Python bindings to libcurl
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-libxml2 - Python bindings for the GNOME XML library
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library

On Debian-based systems (ex: Ubuntu), run:

sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip

How to Use

xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]



November, 28, 2011:

Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.

GTK: Added New features to GTK controller + Added Detailed views to GTK interface.

February, 25, 2011:

Added package for Archlinux.

February, 24, 2011:

Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.

GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.

November, 13, 2010:

XSSer package for Archlinux can be found in the AUR.

November, 11, 2010:

Created XSSer package (v1.0) for Ubuntu/Debian based systems.

November, 9, 2010:

Added more advanced statistics results + Bugfixig.

November, 7, 2010:

Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.

October, 8, 2010:

POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer

./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "" -s --tweet

Results of the -botnet- attack in real time:

- http://identi.ca/xsserbot01
- http://twitter.com/xsserbot01

Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).

September 22, 2010:

Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.


August 20, 2010:

Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).

July 1, 2010:

Dorking + Crawling + IP DWORD + Core clean.

April 19, 2010:

HTTPS implemented + patched bugs.

March 22, 2010:

Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.

March 18, 2010:

Added attack payloads to auto-payloader (62 different XSS injections).

March 16, 2010:

Added new payload encoders to bypass filters.


Download roadmap planning: Next Version



   * irc.freenode.net - channel: #xsser

Mailing lists:

   * Owasp: Subscribe Write
   * Sourceforge: Subscribe Write

Project Leader:

 GPG ID: 0xB8AC3776
   * Website:
         o http://lordepsylon.net
   * Email:
         o psy
         o epsylon
   * Microblogging:
         o identi.ca
         o twitter.com