Difference between revisions of "Projects/OWASP XSSER"

From OWASP
Jump to: navigation, search
(A new code has been released)
 
Line 4: Line 4:
 
----
 
----
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
  ! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor   
+
  ! colspan="8" style="background:#4058A0; color:white" align="center" |<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor   
 
  |-
 
  |-
  | style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
+
  | style="width:15%; background:#7B8ABD" align="center" |'''Project Name'''
  | colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''XSSer: The Cross Site Scripting Framework'''  
+
  | colspan="7" style="width:85%; background:#cccccc" align="left" |<font color="black">'''XSSer: "The Cross Site Scripting Framework"'''  
 
  |-
 
  |-
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
+
  | style="width:15%; background:#7B8ABD" align="center" | '''Short Project Description'''  
  | colspan="7" style="width:85%; background:#cccccc" align="left"|
+
  | colspan="7" style="width:85%; background:#cccccc" align="left" |
 
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.  
 
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.  
 
  |-
 
  |-
  | style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
+
  | style="width:15%; background:#7B8ABD" align="center" |'''Key Project Information'''
  | style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Epsylon|'''psy''']]
+
  | style="width:14%; background:#cccccc" align="center" |Project Leader<br>[[User:Psy|'''psy''']]
| style="width:14%; background:#cccccc" align="center"|Roadmap <br>[http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']
+
  | style="width:14%; background:#cccccc" align="center" |Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']
  | style="width:14%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']
+
  | style="width:14%; background:#cccccc" align="center" |License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']
  | style="width:14%; background:#cccccc" align="center"|License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']
+
  | style="width:14%; background:#cccccc" align="center" |Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]
  | style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]
+
  | style="width:15%; background:#cccccc" align="center" |Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']
  | style="width:15%; background:#cccccc" align="center"|Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']
 
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"  
 
{| style="width:100%" border="0" align="center"  
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Release Status'''  
+
  ! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Last Package'''  
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Main Links'''
+
  ! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Main Links'''
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Documentation'''  
+
  ! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Related Documentation'''  
 
  |-
 
  |-
  | style="width:29%; background:#cccccc" align="center"|[http://sourceforge.net/projects/xsser/files/latest/download '''v1.6b - "Grey Swarm"''']
+
  | style="width:29%; background:#cccccc" align="center" |'''[https://xsser.03c8.net/xsser/xsser_1.8-2.tar.gz XSSer "The Hive!" (v1.8-2)]'''
  | style="width:42%; background:#cccccc" align="center"|[http://xsser.sf.net '''SF Website'''] <br> [http://sourceforge.net/projects/xsser/files/ '''Code Releases''']
+
XSSer (.deb): https://xsser.03c8.net/xsser/xsser_1.8.2_all.deb
  | style="width:29%; background:#cccccc" align="center"| Paper: 'XSS for fun and profit':<br>[http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']
+
  | style="width:42%; background:#cccccc" align="center" |[https://xsser.03c8.net '''Official site'''] <br> [https://github.com/epsylon/xsser '''Code Repository''']
 +
  | style="width:29%; background:#cccccc" align="center" | Paper(2009): 'XSS for fun and profit':<br>[https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']
 
  |}
 
  |}
----
+
 
 
=Current Version=
 
=Current Version=
 
 
<table>
 
<table>
 
<tr>
 
<tr>
<td>XSSer v1.6b ("The Mosquito: <u>Grey Swarm!</u>")<br><br>
+
<td>
[[Image:xsser-greyswarm_sm.png]]<br>
+
[[File:Thehive1.png|thumb|TheHive]]<br>
[[http://xsser.sf.net/xsser/xsser-greyswarm.png '''+ Click for Zoom''']]<br>
+
XSSer v1.8-[2] ("<u>The Hiv3!</u>")<br>
  
 
<ul>
 
<ul>
<li>Download original source code: [http://sourceforge.net/projects/xsser/files/xsser_1.6-1.tar.gz/download '''XSSer v1.6 -beta-''']</li>
+
<li>Download (.tar.gz) source code: '''[https://xsser.03c8.net/xsser/xsser_1.8-2.tar.gz XSSer_v1.8-2.tar.gz]'''</li>
<li>Ubuntu/Debian package: [http://xsser.sf.net/xsser/xsser-1.6_all.deb.tar.gz '''XSSer-1.6_all.deb''']</li>
+
<li>Download (.zip) source code: '''[https://xsser.03c8.net/xsser/xsser_1.8-2.zip XSSer_v1.8-2.zip]'''</li>
<li>ArchLinux package: [http://aur.archlinux.org/packages.php?ID=43447 '''AUR link (v1.6b)''']</li>
+
<li>Or update your copy directly from the XSSer -Github- repository:</li>
<li>Gentoo package: [http://perso.ikujam.org/xsser-1.6.1-ebuild.tar.gz '''XSSer Gentoo ebuild (v1.6b)''']</li>
 
<li>RPM package: [http://xsser.sf.net/xsser/xsser-1.6-1.noarch.rpm.tar.gz '''XSSer-1.6-1.noarch.rpm''']</li>
 
<li>Or update your copy directly from the XSSer -Subversion- repository:</li>
 
  
<u>$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser</u><br><br>
+
$ git clone https://github.com/epsylon/xsser
  
 
</ul>
 
</ul>
This version include more features on the GTK+ interface:
+
This version include more features on the GTK+ interface: <b>xsser --gtk</b>
 
</td>
 
</td>
 
</tr>
 
</tr>
Line 59: Line 55:
  
 
<td>
 
<td>
[[Image:xsser-greyswarm-donate_sm.png]]<br>
+
[[Image:Xsser-zika-gui.png]]<br>
[[http://xsser.sf.net/xsser/xsser-greyswarm-donate.png '''+ Click for Zoom''']]<br>
+
[[https://www.owasp.org/images/f/f7/Xsser-zika-gui.png '''+ Click for Zoom''']]<br>
 
</td>
 
</td>
  
 
<td>
 
<td>
[[Image:xsser-greyswarm-map_sm.png]]<br>
+
[[Image:Xsser-zika-tor.png]]<br>
[[http://xsser.sf.net/xsser/xsser-greyswarm-map.png '''+ Click for Zoom''']]<br>
+
[[https://www.owasp.org/images/b/b1/Xsser-zika-tor.png '''+ Click for Zoom''']]<br>
 
</td>
 
</td>
 
</tr>
 
</tr>
Line 71: Line 67:
 
<tr>
 
<tr>
 
<td>
 
<td>
[[Image:xsser-greyswarm-check_sm.png]]<br>
+
[[Image:Xsser-zika-map.png]]<br>
[[http://xsser.sf.net/xsser/xsser-greyswarm-check.png '''+ Click for Zoom''']]<br>
+
[[https://www.owasp.org/images/7/74/Xsser-zika-map.png '''+ Click for Zoom''']]<br>
 
</td>
 
</td>
  
 
<td>
 
<td>
[[Image:xsser-greyswarm-conn_sm.png]]<br>
+
[[Image:Xsser-zika-spidering.png]]<br>
[[http://xsser.sf.net/xsser/xsser-greyswarm-conn.png '''+ Click for Zoom''']]<br>
+
[[https://www.owasp.org/images/3/38/Xsser-zika-spidering.png '''+ Click for Zoom''']]<br>
 
</td>
 
</td>
  
Line 85: Line 81:
 
</tr>
 
</tr>
 
</table>
 
</table>
TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu [[Image:xssericon_32x32.png]]
+
= How it works=
 
+
<br>
 +
[[Image:Xsser-url-schema.png]]<br>
 +
[[https://www.owasp.org/images/f/f9/Xsser-url-schema.png '''+ Click for Zoom''']]<br>
 +
<br>
 
=Installation=
 
=Installation=
 
 
<p>
 
<p>
XSSer runs on many platforms. It requires Python and the following libraries:<br><br>
+
XSSer runs on many platforms. It requires Python (3.x) and the following libraries:
 
 
    - python-pycurl - Python bindings to libcurl<br>
 
 
 
    - python-beautifulsoup - error-tolerant HTML parser for Python<br>
 
    - python-libxml2 - Python bindings for the GNOME XML library<br>
 
    - python-geoip - Python bindings for the GeoIP IP-to-country resolver library<br><br>
 
 
 
On Debian-based systems (ex: Ubuntu), run: <br><br>
 
 
 
    sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip
 
 
</p>
 
</p>
 +
* python3-pycurl - Python bindings to libcurl (Python 3)
 +
* python3-bs4 - error-tolerant HTML parser for Python 3
 +
* python3-geoip - Python3 bindings for the GeoIP IP-to-country resolver library
 +
* python3-geoip2 - Python geoip2 API for web services and databases - Python 3.x
 +
* python3-gi - Python 3 bindings for gobject-introspection libraries
 +
* python3-cairocffi - cffi-based cairo bindings for Python (Python3)
 +
You can automatically get all required libraries using (as root):
  
=How to Use=
+
'''sudo python setup.py install'''
 
 
xsser [OPTIONS] [-u  |-i  |-d ] [-g  |-p  |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]
 
 
 
  [http://xsser.sourceforge.net/#usage '''Usage'''] <br>
 
  [http://xsser.sourceforge.net/#examples '''Examples'''] <br>
 
  [http://xsser.sourceforge.net/#docs '''Documentation'''] <br>
 
  [http://xsser.sourceforge.net/#screenshots '''Screenshots'''] <br>
 
  [http://xsser.sourceforge.net/#videotutorials '''Videos'''] <br>
 
 
 
=Changelog=
 
 
 
'''November, 28, 2011:'''<br>
 
 
 
Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.<br>
 
 
 
GTK: Added New features to GTK controller + Added Detailed views to GTK interface.<br><br>
 
  
'''February, 25, 2011:'''<br>
+
For manual installation on Debian-based systems (ex: Ubuntu), run:
  
Added package for Archlinux.<br><br>
+
'''sudo apt-get install python3-pycurl python3-bs4 python3-geoip python3-geoip2 python3-cairocffi'''
  
'''February, 24, 2011:'''<br>
+
On other systems such as: Kali, Ubuntu, ArchLinux, ParrotSec, Fedora, etc... also run:
  
Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.<br>
+
'''sudo pip3 install pycurl bs4 geoip2 gobject cairocffi'''
  
GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.<br><br>
+
=Options=
  
'''November, 13, 2010:'''<br>
+
Usage:  
  
XSSer package for Archlinux can be found in the AUR.<br><br>
+
xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]
 +
[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}
  
'''November, 11, 2010:'''<br>
+
Cross Site "Scripter" is an automatic -framework- to detect, exploit and
 +
report XSS vulnerabilities in web-based applications.
  
Created XSSer package (v1.0) for Ubuntu/Debian based systems.<br><br>
+
Options:
 +
  --version            show program's version number and exit
 +
  -h, --help            show this help message and exit
 +
  -s, --statistics      show advanced statistics output results
 +
  -v, --verbose        active verbose mode output results
 +
  --gtk                launch XSSer GTK Interface
 +
  --wizard              start Wizard Helper!
  
'''November, 9, 2010:'''<br>
+
  *Special Features*:
 +
    You can set Vector(s) and Bypasser(s) to build complex scripts for XSS
 +
    code embedded. XST allows you to discover if target is vulnerable to
 +
    'Cross Site Tracing' [CAPEC-107]:
  
Added more advanced statistics results + Bugfixig.<br><br>
+
    --imx=IMX          IMX - Create an image with XSS (--imx image.png)
 +
    --fla=FLASH        FLA - Create a flash movie with XSS (--fla movie.swf)
 +
    --xst=XST          XST - Cross Site Tracing (--xst http(s)://host.com)
  
'''November, 7, 2010:'''<br>
+
  *Select Target(s)*:
 +
    At least one of these options must to be specified to set the source
 +
    to get target(s) urls from:
  
Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.<br><br>
+
    --all=TARGET        Automatically audit an entire target
 +
    -u URL, --url=URL  Enter target to audit
 +
    -i READFILE        Read target(s) urls from file
 +
    -d DORK            Search target(s) using a query (ex: 'news.php?id=')
 +
    -l                  Search from a list of 'dorks'
 +
    --De=DORK_ENGINE    Use this search engine (default: yahoo)
 +
    --Da                Search massively using all search engines
  
'''October, 8, 2010:'''<br>
+
  *Select type of HTTP/HTTPS Connection(s)*:
 +
    These options can be used to specify which parameter(s) we want to use
 +
    as payload(s). Set 'XSS' as keyword on the place(s) that you want to
 +
    inject:
  
POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer<br>
+
    -g GETDATA          Send payload using GET (ex: '/menu.php?id=XSS')
 +
    -p POSTDATA        Send payload using POST (ex: 'foo=1&bar=XSS')
 +
    -c CRAWLING        Number of urls to crawl on target(s): 1-99999
 +
    --Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5 (default: 2)
 +
    --Cl                Crawl only local target(s) urls (default: FALSE)
  
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --tweet<br>
+
  *Configure Request(s)*:
 +
    These options can be used to specify how to connect to the target(s)
 +
    payload(s). You can choose multiple:
  
Results of the -botnet- attack in real time:<br>
+
    --head              Send a HEAD request before start a test
 +
    --cookie=COOKIE    Change your HTTP Cookie header
 +
    --drop-cookie      Ignore Set-Cookie header from response
 +
    --user-agent=AGENT  Change your HTTP User-Agent header (default: SPOOFED)
 +
    --referer=REFERER  Use another HTTP Referer header (default: NONE)
 +
    --xforw            Set your HTTP X-Forwarded-For with random IP values
 +
    --xclient          Set your HTTP X-Client-IP with random IP values
 +
    --headers=HEADERS  Extra HTTP headers newline separated
 +
    --auth-type=ATYPE  HTTP Authentication type (Basic, Digest, GSS or NTLM)
 +
    --auth-cred=ACRED  HTTP Authentication credentials (name:password)
 +
    --check-tor        Check to see if Tor is used properly
 +
    --proxy=PROXY      Use proxy server (tor: http://localhost:8118)
 +
    --ignore-proxy      Ignore system default HTTP proxy
 +
    --timeout=TIMEOUT  Select your timeout (default: 30)
 +
    --retries=RETRIES  Retries when connection timeout (default: 1)
 +
    --threads=THREADS  Maximum number of concurrent requests (default: 5)
 +
    --delay=DELAY      Delay in seconds between each request (default: 0)
 +
    --tcp-nodelay      Use the TCP_NODELAY option
 +
    --follow-redirects  Follow server redirection responses (302)
 +
    --follow-limit=FLI  Set limit for redirection requests (default: 50)
  
- http://identi.ca/xsserbot01<br>
+
  *Checker Systems*:
- http://twitter.com/xsserbot01<br><br>
+
    These options are useful to know if your target is using filters
 +
    against XSS attacks:
  
Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).<br><br>
+
    --hash              Send a hash to check if target is repeating content
 +
    --heuristic        Discover parameters filtered by using heuristics
 +
    --discode=DISCODE  Set code on reply to discard an injection
 +
    --checkaturl=ALT    Check reply using: <alternative url> [aka BLIND-XSS]
 +
    --checkmethod=ALTM  Check reply using: GET or POST (default: GET)
 +
    --checkatdata=ALD  Check reply using: <alternative payload>
 +
    --reverse-check    Establish a reverse connection from target to XSSer
 +
    --reverse-open      Open a web browser when a reverse check is established
  
'''September 22, 2010:'''<br>
+
  *Select Vector(s)*:
 +
    These options can be used to specify injection(s) code. Important if
 +
    you don't want to inject a common XSS vector used by default. Choose
 +
    only one option:
  
Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.<br>
+
    --payload=SCRIPT    OWN  - Inject your own code
 +
    --auto              AUTO  - Inject a list of vectors provided by XSSer
  
http://identi.ca/xsserbot01<br>
+
  *Select Payload(s)*:
http://twitter.com/xsserbot01<br><br>
+
    These options can be used to set the list of vectors provided by
 +
    XSSer. Choose only if required:
  
'''August 20, 2010:'''<br>
+
    --auto-set=FZZ_NUM  ASET  - Limit of vectors to inject (default: 1293)
 +
    --auto-info        AINFO - Select ONLY vectors with INFO (defaul: FALSE)
 +
    --auto-random      ARAND - Set random to order (default: FALSE)
  
Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).<br><br>
+
  *Anti-antiXSS Firewall rules*:
 +
    These options can be used to try to bypass specific WAF/IDS products
 +
    and some anti-XSS browser filters. Choose only if required:
  
'''July 1, 2010:'''<br>
+
    --Phpids0.6.5      PHPIDS (0.6.5) [ALL]
 +
    --Phpids0.7        PHPIDS (0.7) [ALL]
 +
    --Imperva          Imperva Incapsula [ALL]
 +
    --Webknight        WebKnight (4.1) [Chrome]
 +
    --F5bigip          F5 Big IP [Chrome + FF + Opera]
 +
    --Barracuda        Barracuda WAF [ALL]
 +
    --Modsec            Mod-Security [ALL]
 +
    --Quickdefense      QuickDefense [Chrome]
 +
    --Sucuri            SucuriWAF [ALL]
 +
    --Firefox          Firefox 12 [& below]
 +
    --Chrome            Chrome 19 & Firefox 12 [& below]
 +
    --Opera            Opera 10.5 [& below]
 +
    --Iexplorer        IExplorer 9 & Firefox 12 [& below]
  
Dorking + Crawling + IP DWORD + Core clean.<br><br>
+
  *Select Bypasser(s)*:
 +
    These options can be used to encode vector(s) and try to bypass
 +
    possible anti-XSS filters. They can be combined with other techniques:
  
'''April 19, 2010:'''<br>
+
    --Str              Use method String.FromCharCode()
 +
    --Une              Use Unescape() function
 +
    --Mix              Mix String.FromCharCode() and Unescape()
 +
    --Dec              Use Decimal encoding
 +
    --Hex              Use Hexadecimal encoding
 +
    --Hes              Use Hexadecimal encoding with semicolons
 +
    --Dwo              Encode IP addresses with DWORD
 +
    --Doo              Encode IP addresses with Octal
 +
    --Cem=CEM          Set different 'Character Encoding Mutations'
 +
                        (reversing obfuscators) (ex: 'Mix,Une,Str,Hex')
  
HTTPS implemented + patched bugs.<br><br>
+
  *Special Technique(s)*:
 +
    These options can be used to inject code using different XSS
 +
    techniques and fuzzing vectors. You can choose multiple:
  
'''March 22, 2010:'''<br>
+
    --Coo              COO - Cross Site Scripting Cookie injection
 +
    --Xsa              XSA - Cross Site Agent Scripting
 +
    --Xsr              XSR - Cross Site Referer Scripting
 +
    --Dcp              DCP - Data Control Protocol injections
 +
    --Dom              DOM - Document Object Model injections
 +
    --Ind              IND - HTTP Response Splitting Induced code
  
Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.<br><br>
+
  *Select Final injection(s)*:
 +
    These options can be used to specify the final code to inject on
 +
    vulnerable target(s). Important if you want to exploit 'on-the-wild'
 +
    the vulnerabilities found. Choose only one option:
  
'''March 18, 2010:'''<br>
+
    --Fp=FINALPAYLOAD  OWN    - Exploit your own code
 +
    --Fr=FINALREMOTE    REMOTE - Exploit a script -remotely-
  
Added attack payloads to auto-payloader (62 different XSS injections).<br><br>
+
  *Special Final injection(s)*:
 +
    These options can be used to execute some 'special' injection(s) on
 +
    vulnerable target(s). You can select multiple and combine them with
 +
    your final code (except with DCP exploits):
  
'''March 16, 2010:'''<br>
+
    --Anchor            ANC  - Use 'Anchor Stealth' payloader (DOM shadows!)
 +
    --B64              B64  - Base64 code encoding in META tag (rfc2397)
 +
    --Onm              ONM  - Use onMouseMove() event
 +
    --Ifr              IFR  - Use <iframe> source tag
 +
    --Dos              DOS  - XSS (client) Denial of Service
 +
    --Doss              DOSs - XSS (server) Denial of Service
  
Added new payload encoders to bypass filters. <br><br>
+
  *Reporting*:
 +
    --save              Export to file (XSSreport.raw)
 +
    --xml=FILEXML      Export to XML (--xml file.xml)
  
=Roadmap=
+
  *Miscellaneous*:
 
+
    --silent            Inhibit console output results
Download roadmap planning: [https://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']
+
    --alive=ISALIVE    Set limit of errors before check if target is alive
 +
    --update            Check for latest stable version
  
 
=Contact=
 
=Contact=
Line 200: Line 290:
  
 
     * irc.freenode.net - channel: ''#xsser''
 
     * irc.freenode.net - channel: ''#xsser''
 
'''Mailing lists:'''
 
 
    * Owasp: [https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] [mailto:owasp_xsser@lists.owasp.org '''Write''']
 
 
    * Sourceforge: [https://lists.sourceforge.net/lists/listinfo/xsser-users '''Subscribe'''] [mailto:xsser-users@lists.sourceforge.net '''Write''']
 
  
 
'''Project Leader:'''
 
'''Project Leader:'''
  
  GPG ID: ''0xB8AC3776''
+
     * [[User:Psy|'''psy''']] - [https://03c8.net '''03c8.net''']
 
 
     * Website:
 
          o [http://lordepsylon.net '''http://lordepsylon.net''']
 
 
 
    * Email:
 
          o [mailto:root@lordepsylon.net '''psy''']
 
          o [mailto:epsylon@riseup,net '''epsylon''']
 
 
 
    * Microblogging:
 
          o [https://identi.ca/psy '''identi.ca''']
 
          o [https://twitter.com/lord_epsylon '''twitter.com''']
 

Latest revision as of 12:16, 16 November 2019




OWASP XSSer Project
Web application vulnerability scanner / Security auditor
Project Name XSSer: "The Cross Site Scripting Framework"
Short Project Description

Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.

Key Project Information Project Leader
psy
Mailing List
Subscribe - Use
License
GNU GPLv3
Project Type
Pentesting tool
Support
NLNet Awards
OWASP tool
Last Package Main Links Related Documentation
XSSer "The Hive!" (v1.8-2)

XSSer (.deb): https://xsser.03c8.net/xsser/xsser_1.8.2_all.deb

Official site
Code Repository
Paper(2009): 'XSS for fun and profit':
English - Spanish

Current Version

TheHive

XSSer v1.8-[2] ("The Hiv3!")

This version include more features on the GTK+ interface: xsser --gtk

Xsser-zika-gui.png
[+ Click for Zoom]

Xsser-zika-tor.png
[+ Click for Zoom]

Xsser-zika-map.png
[+ Click for Zoom]

Xsser-zika-spidering.png
[+ Click for Zoom]

How it works


Xsser-url-schema.png
[+ Click for Zoom]

Installation

XSSer runs on many platforms. It requires Python (3.x) and the following libraries:

  • python3-pycurl - Python bindings to libcurl (Python 3)
  • python3-bs4 - error-tolerant HTML parser for Python 3
  • python3-geoip - Python3 bindings for the GeoIP IP-to-country resolver library
  • python3-geoip2 - Python geoip2 API for web services and databases - Python 3.x
  • python3-gi - Python 3 bindings for gobject-introspection libraries
  • python3-cairocffi - cffi-based cairo bindings for Python (Python3)

You can automatically get all required libraries using (as root):

sudo python setup.py install

For manual installation on Debian-based systems (ex: Ubuntu), run:

sudo apt-get install python3-pycurl python3-bs4 python3-geoip python3-geoip2 python3-cairocffi

On other systems such as: Kali, Ubuntu, ArchLinux, ParrotSec, Fedora, etc... also run:

sudo pip3 install pycurl bs4 geoip2 gobject cairocffi

Options

Usage:

xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)] [Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}

Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.

Options:

 --version             show program's version number and exit
 -h, --help            show this help message and exit
 -s, --statistics      show advanced statistics output results
 -v, --verbose         active verbose mode output results
 --gtk                 launch XSSer GTK Interface
 --wizard              start Wizard Helper!
 *Special Features*:
   You can set Vector(s) and Bypasser(s) to build complex scripts for XSS
   code embedded. XST allows you to discover if target is vulnerable to
   'Cross Site Tracing' [CAPEC-107]:
   --imx=IMX           IMX - Create an image with XSS (--imx image.png)
   --fla=FLASH         FLA - Create a flash movie with XSS (--fla movie.swf)
   --xst=XST           XST - Cross Site Tracing (--xst http(s)://host.com)
 *Select Target(s)*:
   At least one of these options must to be specified to set the source
   to get target(s) urls from:
   --all=TARGET        Automatically audit an entire target
   -u URL, --url=URL   Enter target to audit
   -i READFILE         Read target(s) urls from file
   -d DORK             Search target(s) using a query (ex: 'news.php?id=')
   -l                  Search from a list of 'dorks'
   --De=DORK_ENGINE    Use this search engine (default: yahoo)
   --Da                Search massively using all search engines
 *Select type of HTTP/HTTPS Connection(s)*:
   These options can be used to specify which parameter(s) we want to use
   as payload(s). Set 'XSS' as keyword on the place(s) that you want to
   inject:
   -g GETDATA          Send payload using GET (ex: '/menu.php?id=XSS')
   -p POSTDATA         Send payload using POST (ex: 'foo=1&bar=XSS')
   -c CRAWLING         Number of urls to crawl on target(s): 1-99999
   --Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5 (default: 2)
   --Cl                Crawl only local target(s) urls (default: FALSE)
 *Configure Request(s)*:
   These options can be used to specify how to connect to the target(s)
   payload(s). You can choose multiple:
   --head              Send a HEAD request before start a test
   --cookie=COOKIE     Change your HTTP Cookie header
   --drop-cookie       Ignore Set-Cookie header from response
   --user-agent=AGENT  Change your HTTP User-Agent header (default: SPOOFED)
   --referer=REFERER   Use another HTTP Referer header (default: NONE)
   --xforw             Set your HTTP X-Forwarded-For with random IP values
   --xclient           Set your HTTP X-Client-IP with random IP values
   --headers=HEADERS   Extra HTTP headers newline separated
   --auth-type=ATYPE   HTTP Authentication type (Basic, Digest, GSS or NTLM)
   --auth-cred=ACRED   HTTP Authentication credentials (name:password)
   --check-tor         Check to see if Tor is used properly
   --proxy=PROXY       Use proxy server (tor: http://localhost:8118)
   --ignore-proxy      Ignore system default HTTP proxy
   --timeout=TIMEOUT   Select your timeout (default: 30)
   --retries=RETRIES   Retries when connection timeout (default: 1)
   --threads=THREADS   Maximum number of concurrent requests (default: 5)
   --delay=DELAY       Delay in seconds between each request (default: 0)
   --tcp-nodelay       Use the TCP_NODELAY option
   --follow-redirects  Follow server redirection responses (302)
   --follow-limit=FLI  Set limit for redirection requests (default: 50)
 *Checker Systems*:
   These options are useful to know if your target is using filters
   against XSS attacks:
   --hash              Send a hash to check if target is repeating content
   --heuristic         Discover parameters filtered by using heuristics
   --discode=DISCODE   Set code on reply to discard an injection
   --checkaturl=ALT    Check reply using: <alternative url> [aka BLIND-XSS]
   --checkmethod=ALTM  Check reply using: GET or POST (default: GET)
   --checkatdata=ALD   Check reply using: <alternative payload>
   --reverse-check     Establish a reverse connection from target to XSSer
   --reverse-open      Open a web browser when a reverse check is established
 *Select Vector(s)*:
   These options can be used to specify injection(s) code. Important if
   you don't want to inject a common XSS vector used by default. Choose
   only one option:
   --payload=SCRIPT    OWN   - Inject your own code
   --auto              AUTO  - Inject a list of vectors provided by XSSer
 *Select Payload(s)*:
   These options can be used to set the list of vectors provided by
   XSSer. Choose only if required:
   --auto-set=FZZ_NUM  ASET  - Limit of vectors to inject (default: 1293)
   --auto-info         AINFO - Select ONLY vectors with INFO (defaul: FALSE)
   --auto-random       ARAND - Set random to order (default: FALSE)
 *Anti-antiXSS Firewall rules*:
   These options can be used to try to bypass specific WAF/IDS products
   and some anti-XSS browser filters. Choose only if required:
   --Phpids0.6.5       PHPIDS (0.6.5) [ALL]
   --Phpids0.7         PHPIDS (0.7) [ALL]
   --Imperva           Imperva Incapsula [ALL]
   --Webknight         WebKnight (4.1) [Chrome]
   --F5bigip           F5 Big IP [Chrome + FF + Opera]
   --Barracuda         Barracuda WAF [ALL]
   --Modsec            Mod-Security [ALL]
   --Quickdefense      QuickDefense [Chrome]
   --Sucuri            SucuriWAF [ALL]
   --Firefox           Firefox 12 [& below]
   --Chrome            Chrome 19 & Firefox 12 [& below]
   --Opera             Opera 10.5 [& below]
   --Iexplorer         IExplorer 9 & Firefox 12 [& below]
 *Select Bypasser(s)*:
   These options can be used to encode vector(s) and try to bypass
   possible anti-XSS filters. They can be combined with other techniques:
   --Str               Use method String.FromCharCode()
   --Une               Use Unescape() function
   --Mix               Mix String.FromCharCode() and Unescape()
   --Dec               Use Decimal encoding
   --Hex               Use Hexadecimal encoding
   --Hes               Use Hexadecimal encoding with semicolons
   --Dwo               Encode IP addresses with DWORD
   --Doo               Encode IP addresses with Octal
   --Cem=CEM           Set different 'Character Encoding Mutations'
                       (reversing obfuscators) (ex: 'Mix,Une,Str,Hex')
 *Special Technique(s)*:
   These options can be used to inject code using different XSS
   techniques and fuzzing vectors. You can choose multiple:
   --Coo               COO - Cross Site Scripting Cookie injection
   --Xsa               XSA - Cross Site Agent Scripting
   --Xsr               XSR - Cross Site Referer Scripting
   --Dcp               DCP - Data Control Protocol injections
   --Dom               DOM - Document Object Model injections
   --Ind               IND - HTTP Response Splitting Induced code
 *Select Final injection(s)*:
   These options can be used to specify the final code to inject on
   vulnerable target(s). Important if you want to exploit 'on-the-wild'
   the vulnerabilities found. Choose only one option:
   --Fp=FINALPAYLOAD   OWN    - Exploit your own code
   --Fr=FINALREMOTE    REMOTE - Exploit a script -remotely-
 *Special Final injection(s)*:
   These options can be used to execute some 'special' injection(s) on
   vulnerable target(s). You can select multiple and combine them with
   your final code (except with DCP exploits):
   --Anchor            ANC  - Use 'Anchor Stealth' payloader (DOM shadows!)
   --B64               B64  - Base64 code encoding in META tag (rfc2397)
   --Onm               ONM  - Use onMouseMove() event
   --Ifr               IFR  - Use <iframe> source tag
   --Dos               DOS  - XSS (client) Denial of Service
   --Doss              DOSs - XSS (server) Denial of Service
 *Reporting*:
   --save              Export to file (XSSreport.raw)
   --xml=FILEXML       Export to XML (--xml file.xml)
 *Miscellaneous*:
   --silent            Inhibit console output results
   --alive=ISALIVE     Set limit of errors before check if target is alive
   --update            Check for latest stable version

Contact

Irc:

   * irc.freenode.net - channel: #xsser

Project Leader:

   * psy - 03c8.net