XSSer – Automated Web Pentesting Framework Tool to Detect and Exploit XSS vulnerabilities

XSSer is a very commonly exploited vulnerability type that is very widely spread and easily detectable for XSS.

An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site [Read More].

Cross-Site “Scripter” is an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.

It contains several options to try to bypass certain filters and various special techniques of code injection.

Installation – XSS

It runs on many platforms. It requires Python and the following libraries:

- python-pycurl - Python bindings to libcurl
- python-xmlbuilder - create xml/(x)html files - Python 2.x
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library

To install on Debian-based systems

sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip

Usage

To list all the features Package “xsser -h”

root@kali:~# xsser -h

To launch a simple Injection attack

root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker”

Injection from Dork, by selecting “Google” as the search engine:

root@kali:~# xsser –De “google” -d “search.php?q=”

In This KaliLinux Tutorial, To perform Multiple injections from URL, with Automatic payload, establishing a reverse connection.

xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –auto –reverse-check -s

Simple URL Injection, using GET, injecting on Cookie, and using DOM shadow

xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” -g “/path?vuln=” –Coo –Dom –Fp=”vulnerablescript”

Parameter filtering with heuristics

root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –heuristic

To Launch GUI Interface

root@kali:~# xsser –gtk

You can also use a TOR proxy.

Key Features

Injection with both GET and POST methods.
Includes various filters and bypassing techniques.
can be used both with the command line and GUI.
Will provide detailed stats of the attack.

Common Defenses against XSS

What input do we trust?
Does it adhere to expected patterns?
Never simply reflect untrusted data.
Applies to data within our database too.
Encoding of context(Java/attribute/HTML/CSS).

You can follow us on Linkedin, Twitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself self-updated.

Also Read:

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.