|OWASP XSSer Project|
Web application vulnerability scanner / Security auditor
|Project Name||XSSer: The Cross Site Scripting Framework|
|Short Project Description||
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.
|Key Project Information||Project Leader
Subscribe - Use
|Release Status||Main Links||Related Documentation|
|v1.6b - "Grey Swarm"||SF Website
| Paper: 'XSS for fun and profit':|
English - Spanish
GSoC 2013 Proposal
Students presentations, questions and more: Mailing list archive: GSoC13 thread
Proposals 'on stage':
|XSSer v1.6b ("The Mosquito: Grey Swarm!")
$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser
This version include more features on the GTK+ interface:
XSSer runs on many platforms. It requires Python and the following libraries:
- python-pycurl - Python bindings to libcurl
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-libxml2 - Python bindings for the GNOME XML library
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library
On Debian-based systems (ex: Ubuntu), run:
sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip
How to Use
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]
November, 28, 2011:
Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.
GTK: Added New features to GTK controller + Added Detailed views to GTK interface.
February, 25, 2011:
Added package for Archlinux.
February, 24, 2011:
Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.
GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.
November, 13, 2010:
XSSer package for Archlinux can be found in the AUR.
November, 11, 2010:
Created XSSer package (v1.0) for Ubuntu/Debian based systems.
November, 9, 2010:
Added more advanced statistics results + Bugfixig.
November, 7, 2010:
Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.
October, 8, 2010:
POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --tweet
Results of the -botnet- attack in real time:
Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).
September 22, 2010:
Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.
August 20, 2010:
Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).
July 1, 2010:
Dorking + Crawling + IP DWORD + Core clean.
April 19, 2010:
HTTPS implemented + patched bugs.
March 22, 2010:
Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.
March 18, 2010:
Added attack payloads to auto-payloader (62 different XSS injections).
March 16, 2010:
Added new payload encoders to bypass filters.
Download roadmap planning: Next Version
* irc.freenode.net - channel: #xsser
GPG ID: 0xB8AC3776
* Website: o http://lordepsylon.net
* Microblogging: o identi.ca o twitter.com