https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=EpsylonOWASP - User contributions [en]2026-05-07T05:41:12ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Projects/OWASP_XSSER&diff=256071Projects/OWASP XSSER2019-11-16T18:16:50Z<p>Epsylon: A new code has been released</p>
<hr />
<div>[[Category:OWASP Project]]<br />
{{Social Media Links}}<br><br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" style="background:#4058A0; color:white" align="center" |<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center" |'''Project Name'''<br />
| colspan="7" style="width:85%; background:#cccccc" align="left" |<font color="black">'''XSSer: "The Cross Site Scripting Framework"''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center" | '''Short Project Description''' <br />
| colspan="7" style="width:85%; background:#cccccc" align="left" |<br />
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center" |'''Key Project Information'''<br />
| style="width:14%; background:#cccccc" align="center" |Project Leader<br>[[User:Psy|'''psy''']]<br />
| style="width:14%; background:#cccccc" align="center" |Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']<br />
| style="width:14%; background:#cccccc" align="center" |License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']<br />
| style="width:14%; background:#cccccc" align="center" |Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]<br />
| style="width:15%; background:#cccccc" align="center" |Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']<br />
|}<br />
{| style="width:100%" border="0" align="center" <br />
! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Last Package''' <br />
! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Main Links'''<br />
! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Related Documentation''' <br />
|-<br />
| style="width:29%; background:#cccccc" align="center" |'''[https://xsser.03c8.net/xsser/xsser_1.8-2.tar.gz XSSer "The Hive!" (v1.8-2)]'''<br />
XSSer (.deb): https://xsser.03c8.net/xsser/xsser_1.8.2_all.deb<br />
| style="width:42%; background:#cccccc" align="center" |[https://xsser.03c8.net '''Official site'''] <br> [https://github.com/epsylon/xsser '''Code Repository''']<br />
| style="width:29%; background:#cccccc" align="center" | Paper(2009): 'XSS for fun and profit':<br>[https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']<br />
|}<br />
<br />
=Current Version=<br />
<table><br />
<tr><br />
<td><br />
[[File:Thehive1.png|thumb|TheHive]]<br><br />
XSSer v1.8-[2] ("<u>The Hiv3!</u>")<br><br />
<br />
<ul><br />
<li>Download (.tar.gz) source code: '''[https://xsser.03c8.net/xsser/xsser_1.8-2.tar.gz XSSer_v1.8-2.tar.gz]'''</li><br />
<li>Download (.zip) source code: '''[https://xsser.03c8.net/xsser/xsser_1.8-2.zip XSSer_v1.8-2.zip]'''</li><br />
<li>Or update your copy directly from the XSSer -Github- repository:</li><br />
<br />
$ git clone https://github.com/epsylon/xsser<br />
<br />
</ul><br />
This version include more features on the GTK+ interface: <b>xsser --gtk</b><br />
</td><br />
</tr><br />
<tr><br />
<td><br />
<table><br />
<tr><br />
<br />
<td><br />
[[Image:Xsser-zika-gui.png]]<br><br />
[[https://www.owasp.org/images/f/f7/Xsser-zika-gui.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:Xsser-zika-tor.png]]<br><br />
[[https://www.owasp.org/images/b/b1/Xsser-zika-tor.png '''+ Click for Zoom''']]<br><br />
</td><br />
</tr><br />
<br />
<tr><br />
<td><br />
[[Image:Xsser-zika-map.png]]<br><br />
[[https://www.owasp.org/images/7/74/Xsser-zika-map.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:Xsser-zika-spidering.png]]<br><br />
[[https://www.owasp.org/images/3/38/Xsser-zika-spidering.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
</tr><br />
</table><br />
</td><br />
</tr><br />
</table><br />
= How it works=<br />
<br><br />
[[Image:Xsser-url-schema.png]]<br><br />
[[https://www.owasp.org/images/f/f9/Xsser-url-schema.png '''+ Click for Zoom''']]<br><br />
<br><br />
=Installation=<br />
<p><br />
XSSer runs on many platforms. It requires Python (3.x) and the following libraries:<br />
</p><br />
* python3-pycurl - Python bindings to libcurl (Python 3)<br />
* python3-bs4 - error-tolerant HTML parser for Python 3<br />
* python3-geoip - Python3 bindings for the GeoIP IP-to-country resolver library<br />
* python3-geoip2 - Python geoip2 API for web services and databases - Python 3.x<br />
* python3-gi - Python 3 bindings for gobject-introspection libraries<br />
* python3-cairocffi - cffi-based cairo bindings for Python (Python3)<br />
You can automatically get all required libraries using (as root):<br />
<br />
'''sudo python setup.py install'''<br />
<br />
For manual installation on Debian-based systems (ex: Ubuntu), run:<br />
<br />
'''sudo apt-get install python3-pycurl python3-bs4 python3-geoip python3-geoip2 python3-cairocffi'''<br />
<br />
On other systems such as: Kali, Ubuntu, ArchLinux, ParrotSec, Fedora, etc... also run:<br />
<br />
'''sudo pip3 install pycurl bs4 geoip2 gobject cairocffi'''<br />
<br />
=Options=<br />
<br />
Usage: <br />
<br />
xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]<br />
[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}<br />
<br />
Cross Site "Scripter" is an automatic -framework- to detect, exploit and<br />
report XSS vulnerabilities in web-based applications.<br />
<br />
Options:<br />
--version show program's version number and exit<br />
-h, --help show this help message and exit<br />
-s, --statistics show advanced statistics output results<br />
-v, --verbose active verbose mode output results<br />
--gtk launch XSSer GTK Interface<br />
--wizard start Wizard Helper!<br />
<br />
*Special Features*:<br />
You can set Vector(s) and Bypasser(s) to build complex scripts for XSS<br />
code embedded. XST allows you to discover if target is vulnerable to<br />
'Cross Site Tracing' [CAPEC-107]:<br />
<br />
--imx=IMX IMX - Create an image with XSS (--imx image.png)<br />
--fla=FLASH FLA - Create a flash movie with XSS (--fla movie.swf)<br />
--xst=XST XST - Cross Site Tracing (--xst http(s)://host.com)<br />
<br />
*Select Target(s)*:<br />
At least one of these options must to be specified to set the source<br />
to get target(s) urls from:<br />
<br />
--all=TARGET Automatically audit an entire target<br />
-u URL, --url=URL Enter target to audit<br />
-i READFILE Read target(s) urls from file<br />
-d DORK Search target(s) using a query (ex: 'news.php?id=')<br />
-l Search from a list of 'dorks'<br />
--De=DORK_ENGINE Use this search engine (default: yahoo)<br />
--Da Search massively using all search engines<br />
<br />
*Select type of HTTP/HTTPS Connection(s)*:<br />
These options can be used to specify which parameter(s) we want to use<br />
as payload(s). Set 'XSS' as keyword on the place(s) that you want to<br />
inject:<br />
<br />
-g GETDATA Send payload using GET (ex: '/menu.php?id=XSS')<br />
-p POSTDATA Send payload using POST (ex: 'foo=1&bar=XSS')<br />
-c CRAWLING Number of urls to crawl on target(s): 1-99999<br />
--Cw=CRAWLER_WIDTH Deeping level of crawler: 1-5 (default: 2)<br />
--Cl Crawl only local target(s) urls (default: FALSE)<br />
<br />
*Configure Request(s)*:<br />
These options can be used to specify how to connect to the target(s)<br />
payload(s). You can choose multiple:<br />
<br />
--head Send a HEAD request before start a test<br />
--cookie=COOKIE Change your HTTP Cookie header<br />
--drop-cookie Ignore Set-Cookie header from response<br />
--user-agent=AGENT Change your HTTP User-Agent header (default: SPOOFED)<br />
--referer=REFERER Use another HTTP Referer header (default: NONE)<br />
--xforw Set your HTTP X-Forwarded-For with random IP values<br />
--xclient Set your HTTP X-Client-IP with random IP values<br />
--headers=HEADERS Extra HTTP headers newline separated<br />
--auth-type=ATYPE HTTP Authentication type (Basic, Digest, GSS or NTLM)<br />
--auth-cred=ACRED HTTP Authentication credentials (name:password)<br />
--check-tor Check to see if Tor is used properly<br />
--proxy=PROXY Use proxy server (tor: http://localhost:8118)<br />
--ignore-proxy Ignore system default HTTP proxy<br />
--timeout=TIMEOUT Select your timeout (default: 30)<br />
--retries=RETRIES Retries when connection timeout (default: 1)<br />
--threads=THREADS Maximum number of concurrent requests (default: 5)<br />
--delay=DELAY Delay in seconds between each request (default: 0)<br />
--tcp-nodelay Use the TCP_NODELAY option<br />
--follow-redirects Follow server redirection responses (302)<br />
--follow-limit=FLI Set limit for redirection requests (default: 50)<br />
<br />
*Checker Systems*:<br />
These options are useful to know if your target is using filters<br />
against XSS attacks:<br />
<br />
--hash Send a hash to check if target is repeating content<br />
--heuristic Discover parameters filtered by using heuristics<br />
--discode=DISCODE Set code on reply to discard an injection<br />
--checkaturl=ALT Check reply using: <alternative url> [aka BLIND-XSS]<br />
--checkmethod=ALTM Check reply using: GET or POST (default: GET)<br />
--checkatdata=ALD Check reply using: <alternative payload><br />
--reverse-check Establish a reverse connection from target to XSSer<br />
--reverse-open Open a web browser when a reverse check is established<br />
<br />
*Select Vector(s)*:<br />
These options can be used to specify injection(s) code. Important if<br />
you don't want to inject a common XSS vector used by default. Choose<br />
only one option:<br />
<br />
--payload=SCRIPT OWN - Inject your own code<br />
--auto AUTO - Inject a list of vectors provided by XSSer<br />
<br />
*Select Payload(s)*:<br />
These options can be used to set the list of vectors provided by<br />
XSSer. Choose only if required:<br />
<br />
--auto-set=FZZ_NUM ASET - Limit of vectors to inject (default: 1293)<br />
--auto-info AINFO - Select ONLY vectors with INFO (defaul: FALSE)<br />
--auto-random ARAND - Set random to order (default: FALSE)<br />
<br />
*Anti-antiXSS Firewall rules*:<br />
These options can be used to try to bypass specific WAF/IDS products<br />
and some anti-XSS browser filters. Choose only if required:<br />
<br />
--Phpids0.6.5 PHPIDS (0.6.5) [ALL]<br />
--Phpids0.7 PHPIDS (0.7) [ALL]<br />
--Imperva Imperva Incapsula [ALL]<br />
--Webknight WebKnight (4.1) [Chrome]<br />
--F5bigip F5 Big IP [Chrome + FF + Opera]<br />
--Barracuda Barracuda WAF [ALL]<br />
--Modsec Mod-Security [ALL]<br />
--Quickdefense QuickDefense [Chrome]<br />
--Sucuri SucuriWAF [ALL]<br />
--Firefox Firefox 12 [& below]<br />
--Chrome Chrome 19 & Firefox 12 [& below]<br />
--Opera Opera 10.5 [& below]<br />
--Iexplorer IExplorer 9 & Firefox 12 [& below]<br />
<br />
*Select Bypasser(s)*:<br />
These options can be used to encode vector(s) and try to bypass<br />
possible anti-XSS filters. They can be combined with other techniques:<br />
<br />
--Str Use method String.FromCharCode()<br />
--Une Use Unescape() function<br />
--Mix Mix String.FromCharCode() and Unescape()<br />
--Dec Use Decimal encoding<br />
--Hex Use Hexadecimal encoding<br />
--Hes Use Hexadecimal encoding with semicolons<br />
--Dwo Encode IP addresses with DWORD<br />
--Doo Encode IP addresses with Octal<br />
--Cem=CEM Set different 'Character Encoding Mutations'<br />
(reversing obfuscators) (ex: 'Mix,Une,Str,Hex')<br />
<br />
*Special Technique(s)*:<br />
These options can be used to inject code using different XSS<br />
techniques and fuzzing vectors. You can choose multiple:<br />
<br />
--Coo COO - Cross Site Scripting Cookie injection<br />
--Xsa XSA - Cross Site Agent Scripting<br />
--Xsr XSR - Cross Site Referer Scripting<br />
--Dcp DCP - Data Control Protocol injections<br />
--Dom DOM - Document Object Model injections<br />
--Ind IND - HTTP Response Splitting Induced code<br />
<br />
*Select Final injection(s)*:<br />
These options can be used to specify the final code to inject on<br />
vulnerable target(s). Important if you want to exploit 'on-the-wild'<br />
the vulnerabilities found. Choose only one option:<br />
<br />
--Fp=FINALPAYLOAD OWN - Exploit your own code<br />
--Fr=FINALREMOTE REMOTE - Exploit a script -remotely-<br />
<br />
*Special Final injection(s)*:<br />
These options can be used to execute some 'special' injection(s) on<br />
vulnerable target(s). You can select multiple and combine them with<br />
your final code (except with DCP exploits):<br />
<br />
--Anchor ANC - Use 'Anchor Stealth' payloader (DOM shadows!)<br />
--B64 B64 - Base64 code encoding in META tag (rfc2397)<br />
--Onm ONM - Use onMouseMove() event<br />
--Ifr IFR - Use <iframe> source tag<br />
--Dos DOS - XSS (client) Denial of Service<br />
--Doss DOSs - XSS (server) Denial of Service<br />
<br />
*Reporting*:<br />
--save Export to file (XSSreport.raw)<br />
--xml=FILEXML Export to XML (--xml file.xml)<br />
<br />
*Miscellaneous*:<br />
--silent Inhibit console output results<br />
--alive=ISALIVE Set limit of errors before check if target is alive<br />
--update Check for latest stable version<br />
<br />
=Contact=<br />
<br />
'''Irc:''' <br />
<br />
* irc.freenode.net - channel: ''#xsser''<br />
<br />
'''Project Leader:'''<br />
<br />
* [[User:Psy|'''psy''']] - [https://03c8.net '''03c8.net''']</div>Epsylonhttps://wiki.owasp.org/index.php?title=OWASP_XSSER&diff=256070OWASP XSSER2019-11-16T18:15:00Z<p>Epsylon: A new code has been released</p>
<hr />
<div>[[Category:OWASP Project]]<br />
{{Social Media Links}}<br><br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" style="background:#4058A0; color:white" align="center" |<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center" |'''Project Name'''<br />
| colspan="7" style="width:85%; background:#cccccc" align="left" |<font color="black">'''XSSer: "The Cross Site Scripting Framework"''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center" | '''Short Project Description''' <br />
| colspan="7" style="width:85%; background:#cccccc" align="left" |<br />
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center" |'''Key Project Information'''<br />
| style="width:14%; background:#cccccc" align="center" |Project Leader<br>[[User:Psy|'''psy''']]<br />
| style="width:14%; background:#cccccc" align="center" |Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']<br />
| style="width:14%; background:#cccccc" align="center" |License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']<br />
| style="width:14%; background:#cccccc" align="center" |Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]<br />
| style="width:15%; background:#cccccc" align="center" |Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']<br />
|}<br />
{| style="width:100%" border="0" align="center" <br />
! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Last Package''' <br />
! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Main Links'''<br />
! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Related Documentation''' <br />
|-<br />
| style="width:29%; background:#cccccc" align="center" |'''[https://xsser.03c8.net/xsser/xsser_1.8-2.tar.gz XSSer "The Hive!" (v1.8-2)]'''<br />
XSSer (.deb): https://xsser.03c8.net/xsser/xsser_1.8.2_all.deb<br />
| style="width:42%; background:#cccccc" align="center" |[https://xsser.03c8.net '''Official site'''] <br> [https://github.com/epsylon/xsser '''Code Repository''']<br />
| style="width:29%; background:#cccccc" align="center" | Paper(2009): 'XSS for fun and profit':<br>[https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']<br />
|}<br />
<br />
=Current Version=<br />
<table><br />
<tr><br />
<td><br />
[[File:Thehive1.png|thumb|TheHive]]<br><br />
XSSer v1.8-[2] ("<u>The Hiv3!</u>")<br><br />
<br />
<ul><br />
<li>Download (.tar.gz) source code: '''[https://xsser.03c8.net/xsser/xsser_1.8-2.tar.gz XSSer_v1.8-2.tar.gz]'''</li><br />
<li>Download (.zip) source code: '''[https://xsser.03c8.net/xsser/xsser_1.8-2.zip XSSer_v1.8-2.zip]'''</li><br />
<li>Or update your copy directly from the XSSer -Github- repository:</li><br />
<br />
$ git clone https://github.com/epsylon/xsser<br />
<br />
</ul><br />
This version include more features on the GTK+ interface: <b>xsser --gtk</b><br />
</td><br />
</tr><br />
<tr><br />
<td><br />
<table><br />
<tr><br />
<br />
<td><br />
[[Image:Xsser-zika-gui.png]]<br><br />
[[https://www.owasp.org/images/f/f7/Xsser-zika-gui.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:Xsser-zika-tor.png]]<br><br />
[[https://www.owasp.org/images/b/b1/Xsser-zika-tor.png '''+ Click for Zoom''']]<br><br />
</td><br />
</tr><br />
<br />
<tr><br />
<td><br />
[[Image:Xsser-zika-map.png]]<br><br />
[[https://www.owasp.org/images/7/74/Xsser-zika-map.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:Xsser-zika-spidering.png]]<br><br />
[[https://www.owasp.org/images/3/38/Xsser-zika-spidering.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
</tr><br />
</table><br />
</td><br />
</tr><br />
</table><br />
= How it works=<br />
<br><br />
[[Image:Xsser-url-schema.png]]<br><br />
[[https://www.owasp.org/images/f/f9/Xsser-url-schema.png '''+ Click for Zoom''']]<br><br />
<br><br />
=Installation=<br />
<p><br />
XSSer runs on many platforms. It requires Python (3.x) and the following libraries:<br />
</p><br />
* python3-pycurl - Python bindings to libcurl (Python 3)<br />
* python3-bs4 - error-tolerant HTML parser for Python 3<br />
* python3-geoip - Python3 bindings for the GeoIP IP-to-country resolver library<br />
* python3-geoip2 - Python geoip2 API for web services and databases - Python 3.x<br />
* python3-gi - Python 3 bindings for gobject-introspection libraries<br />
* python3-cairocffi - cffi-based cairo bindings for Python (Python3)<br />
You can automatically get all required libraries using (as root):<br />
<br />
'''sudo python setup.py install'''<br />
<br />
For manual installation on Debian-based systems (ex: Ubuntu), run:<br />
<br />
'''sudo apt-get install python3-pycurl python3-bs4 python3-geoip python3-geoip2 python3-cairocffi'''<br />
<br />
On other systems such as: Kali, Ubuntu, ArchLinux, ParrotSec, Fedora, etc... also run:<br />
<br />
'''sudo pip3 install pycurl bs4 geoip2 gobject cairocffi'''<br />
<br />
=Options=<br />
<br />
Usage: <br />
<br />
xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]<br />
[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}<br />
<br />
Cross Site "Scripter" is an automatic -framework- to detect, exploit and<br />
report XSS vulnerabilities in web-based applications.<br />
<br />
Options:<br />
--version show program's version number and exit<br />
-h, --help show this help message and exit<br />
-s, --statistics show advanced statistics output results<br />
-v, --verbose active verbose mode output results<br />
--gtk launch XSSer GTK Interface<br />
--wizard start Wizard Helper!<br />
<br />
*Special Features*:<br />
You can set Vector(s) and Bypasser(s) to build complex scripts for XSS<br />
code embedded. XST allows you to discover if target is vulnerable to<br />
'Cross Site Tracing' [CAPEC-107]:<br />
<br />
--imx=IMX IMX - Create an image with XSS (--imx image.png)<br />
--fla=FLASH FLA - Create a flash movie with XSS (--fla movie.swf)<br />
--xst=XST XST - Cross Site Tracing (--xst http(s)://host.com)<br />
<br />
*Select Target(s)*:<br />
At least one of these options must to be specified to set the source<br />
to get target(s) urls from:<br />
<br />
--all=TARGET Automatically audit an entire target<br />
-u URL, --url=URL Enter target to audit<br />
-i READFILE Read target(s) urls from file<br />
-d DORK Search target(s) using a query (ex: 'news.php?id=')<br />
-l Search from a list of 'dorks'<br />
--De=DORK_ENGINE Use this search engine (default: yahoo)<br />
--Da Search massively using all search engines<br />
<br />
*Select type of HTTP/HTTPS Connection(s)*:<br />
These options can be used to specify which parameter(s) we want to use<br />
as payload(s). Set 'XSS' as keyword on the place(s) that you want to<br />
inject:<br />
<br />
-g GETDATA Send payload using GET (ex: '/menu.php?id=XSS')<br />
-p POSTDATA Send payload using POST (ex: 'foo=1&bar=XSS')<br />
-c CRAWLING Number of urls to crawl on target(s): 1-99999<br />
--Cw=CRAWLER_WIDTH Deeping level of crawler: 1-5 (default: 2)<br />
--Cl Crawl only local target(s) urls (default: FALSE)<br />
<br />
*Configure Request(s)*:<br />
These options can be used to specify how to connect to the target(s)<br />
payload(s). You can choose multiple:<br />
<br />
--head Send a HEAD request before start a test<br />
--cookie=COOKIE Change your HTTP Cookie header<br />
--drop-cookie Ignore Set-Cookie header from response<br />
--user-agent=AGENT Change your HTTP User-Agent header (default: SPOOFED)<br />
--referer=REFERER Use another HTTP Referer header (default: NONE)<br />
--xforw Set your HTTP X-Forwarded-For with random IP values<br />
--xclient Set your HTTP X-Client-IP with random IP values<br />
--headers=HEADERS Extra HTTP headers newline separated<br />
--auth-type=ATYPE HTTP Authentication type (Basic, Digest, GSS or NTLM)<br />
--auth-cred=ACRED HTTP Authentication credentials (name:password)<br />
--check-tor Check to see if Tor is used properly<br />
--proxy=PROXY Use proxy server (tor: http://localhost:8118)<br />
--ignore-proxy Ignore system default HTTP proxy<br />
--timeout=TIMEOUT Select your timeout (default: 30)<br />
--retries=RETRIES Retries when connection timeout (default: 1)<br />
--threads=THREADS Maximum number of concurrent requests (default: 5)<br />
--delay=DELAY Delay in seconds between each request (default: 0)<br />
--tcp-nodelay Use the TCP_NODELAY option<br />
--follow-redirects Follow server redirection responses (302)<br />
--follow-limit=FLI Set limit for redirection requests (default: 50)<br />
<br />
*Checker Systems*:<br />
These options are useful to know if your target is using filters<br />
against XSS attacks:<br />
<br />
--hash Send a hash to check if target is repeating content<br />
--heuristic Discover parameters filtered by using heuristics<br />
--discode=DISCODE Set code on reply to discard an injection<br />
--checkaturl=ALT Check reply using: <alternative url> [aka BLIND-XSS]<br />
--checkmethod=ALTM Check reply using: GET or POST (default: GET)<br />
--checkatdata=ALD Check reply using: <alternative payload><br />
--reverse-check Establish a reverse connection from target to XSSer<br />
--reverse-open Open a web browser when a reverse check is established<br />
<br />
*Select Vector(s)*:<br />
These options can be used to specify injection(s) code. Important if<br />
you don't want to inject a common XSS vector used by default. Choose<br />
only one option:<br />
<br />
--payload=SCRIPT OWN - Inject your own code<br />
--auto AUTO - Inject a list of vectors provided by XSSer<br />
<br />
*Select Payload(s)*:<br />
These options can be used to set the list of vectors provided by<br />
XSSer. Choose only if required:<br />
<br />
--auto-set=FZZ_NUM ASET - Limit of vectors to inject (default: 1293)<br />
--auto-info AINFO - Select ONLY vectors with INFO (defaul: FALSE)<br />
--auto-random ARAND - Set random to order (default: FALSE)<br />
<br />
*Anti-antiXSS Firewall rules*:<br />
These options can be used to try to bypass specific WAF/IDS products<br />
and some anti-XSS browser filters. Choose only if required:<br />
<br />
--Phpids0.6.5 PHPIDS (0.6.5) [ALL]<br />
--Phpids0.7 PHPIDS (0.7) [ALL]<br />
--Imperva Imperva Incapsula [ALL]<br />
--Webknight WebKnight (4.1) [Chrome]<br />
--F5bigip F5 Big IP [Chrome + FF + Opera]<br />
--Barracuda Barracuda WAF [ALL]<br />
--Modsec Mod-Security [ALL]<br />
--Quickdefense QuickDefense [Chrome]<br />
--Sucuri SucuriWAF [ALL]<br />
--Firefox Firefox 12 [& below]<br />
--Chrome Chrome 19 & Firefox 12 [& below]<br />
--Opera Opera 10.5 [& below]<br />
--Iexplorer IExplorer 9 & Firefox 12 [& below]<br />
<br />
*Select Bypasser(s)*:<br />
These options can be used to encode vector(s) and try to bypass<br />
possible anti-XSS filters. They can be combined with other techniques:<br />
<br />
--Str Use method String.FromCharCode()<br />
--Une Use Unescape() function<br />
--Mix Mix String.FromCharCode() and Unescape()<br />
--Dec Use Decimal encoding<br />
--Hex Use Hexadecimal encoding<br />
--Hes Use Hexadecimal encoding with semicolons<br />
--Dwo Encode IP addresses with DWORD<br />
--Doo Encode IP addresses with Octal<br />
--Cem=CEM Set different 'Character Encoding Mutations'<br />
(reversing obfuscators) (ex: 'Mix,Une,Str,Hex')<br />
<br />
*Special Technique(s)*:<br />
These options can be used to inject code using different XSS<br />
techniques and fuzzing vectors. You can choose multiple:<br />
<br />
--Coo COO - Cross Site Scripting Cookie injection<br />
--Xsa XSA - Cross Site Agent Scripting<br />
--Xsr XSR - Cross Site Referer Scripting<br />
--Dcp DCP - Data Control Protocol injections<br />
--Dom DOM - Document Object Model injections<br />
--Ind IND - HTTP Response Splitting Induced code<br />
<br />
*Select Final injection(s)*:<br />
These options can be used to specify the final code to inject on<br />
vulnerable target(s). Important if you want to exploit 'on-the-wild'<br />
the vulnerabilities found. Choose only one option:<br />
<br />
--Fp=FINALPAYLOAD OWN - Exploit your own code<br />
--Fr=FINALREMOTE REMOTE - Exploit a script -remotely-<br />
<br />
*Special Final injection(s)*:<br />
These options can be used to execute some 'special' injection(s) on<br />
vulnerable target(s). You can select multiple and combine them with<br />
your final code (except with DCP exploits):<br />
<br />
--Anchor ANC - Use 'Anchor Stealth' payloader (DOM shadows!)<br />
--B64 B64 - Base64 code encoding in META tag (rfc2397)<br />
--Onm ONM - Use onMouseMove() event<br />
--Ifr IFR - Use <iframe> source tag<br />
--Dos DOS - XSS (client) Denial of Service<br />
--Doss DOSs - XSS (server) Denial of Service<br />
<br />
*Reporting*:<br />
--save Export to file (XSSreport.raw)<br />
--xml=FILEXML Export to XML (--xml file.xml)<br />
<br />
*Miscellaneous*:<br />
--silent Inhibit console output results<br />
--alive=ISALIVE Set limit of errors before check if target is alive<br />
--update Check for latest stable version<br />
<br />
=Contact=<br />
<br />
'''Irc:''' <br />
<br />
* irc.freenode.net - channel: ''#xsser''<br />
<br />
'''Project Leader:'''<br />
<br />
* [[User:Psy|'''psy''']] - [https://03c8.net '''03c8.net''']</div>Epsylonhttps://wiki.owasp.org/index.php?title=WASPY_Awards_2013&diff=157360WASPY Awards 20132013-08-26T17:12:01Z<p>Epsylon: </p>
<hr />
<div>[[File:WASPY-BANNER.jpg]]<br />
<br />
<br />
<br />
<font size="6">'''Web Application Security People of the Year Awards 2013'''</font><br />
<br />
<br />
'''Who:''' <br />
<br />
Anyone in the Community<br />
<br />
<br />
'''What:''' <br />
<br />
WASPY Awards 2013<br />
<br />
<br />
'''Where:'''<br />
<br />
Call for nominees http://www.tfaforms.com/284578<br />
<br />
<br />
'''When:''' <br />
<br />
May 7 – Call for nominees http://www.tfaforms.com/284578<br />
<br />
August 16 – Call for nominees closes<br />
<br />
August 19 – Announcement of nominees per category <br />
<br />
September 6 – Deadline for bio and profile picture to be submitted<br />
<br />
September 30 – Paid member deadline '''Not sure if you are a current member?''' [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0Ag5ZloRZ0SmjdElHZnp5VnozSXFfR0c3UkF1WHh5dVE&hl=en#gid=0 Member Directory]<br />
<br />
October 14 – October 25 – Voting process (will be included on the election ballot)<br />
<br />
October 29 – Announcement of winners in Special Edition connector & recognition at AppSecUSA 2013<br />
<br />
<br />
'''Why:''' <br />
<br />
Every year a group of individuals including researchers, developers, security professionals and others work to ensure the security of web applications. Some of these individuals are featured in news stories or at conferences as recognized experts. But there are many other ‘unsung heroes’ that work every day to improve web application security and yet are rarely recognized. <br />
<br />
<br />
'''Categories:'''<br />
<br />
*Best Chapter Leader<br />
<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | Name<br />
! scope="col" align="center" width="120" | Chapter <br />
! scope="col" align="center" width="800" | Citation<br />
|-<br />
|align="center"| [https://www.owasp.org/index.php/User:Paul_Scott Paul Scott]||align="center"|[https://www.owasp.org/index.php/Houston Houston]||align="center"|"Paul has taken the Houston chapter from non-existent to one of the best I've seen. Every month something is going on, whether it's a "mini-con", a hands-on workshop, or a happy hour. He is very organized and enthusiastic. This leads to having sponsors, which helps encourage attendance. I'm a former OWASP chapter leader in Kansas City and have attended OWASP chapter meetings in Houston, Denver, New York, and London."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Jonathan_Marcil Jonathan Marcil]||align="center"|[https://www.owasp.org/index.php/Montr%C3%A9al Montreal]||align="center"|"Jonathan has been really active since he has been elected as the new chapter leader in Montreal. He has been able to reach a lot of developers that had no idea what was OWASP by simply going in event and talking to them one-o-one. <br />
<br />
He's really dedicated to OWASP and his chapter, he spend at least 20 to 25 hours a week organizing, he also attended BlackHat and sat at the official OWASP booth to distribute and inform people about the wonderful organization that OWASP is.<br />
<br />
I've never seen a chapter leader active like him, he definately deserve an award."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]||align="center"|[https://www.owasp.org/index.php/Iran Iran] ||align="center"|"Abbas Naderi, Chapter Leader in Iran is one of the most helpful person I know. I choose him above all others because of his dedication towards pulling forward the entire security community. He demonstrated this act when he agreed to help me in Google Summer of Code Project even when he knew that he was not going to gain money or knowledge out of this. He helped my project just because he wanted everyone in security community to move forward. While working with him, I realized the vast amount of knowledge he possesses. His ideas and his dedication inspires me and I am proud to say that I have set my goal to be like him one day."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:John.wilander John Wilander]||align="center"|Sweden||align="center"|"John has shown that he is one of the best chapter leaders of OWASP. He recently stepped down, but I believe he should be given the award regardless."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Jack_Mannino Jack Mannino]|| align="center"|Northern Virginia||align="center"|"Jack Mannino has brought top-notch speakers from Jim Manico, to Dan Cornell, and the Twitter appsec team as well as secured an amazing spot with LivingSocial for our meetings. Jack is fostering not only interested speaking events but hackathons and code projects. He is definitely going above and beyond. Most importantly, this chapter is consistent and 100% vendor neutral! Under his leadership, things are already on the right path and headed for even greater destinations. <br />
<br />
Lastly, Jack is one of the leaders of the OWASP Mobile project as well the sole developer for the OWASP project GoatDroid. <br />
<br />
If anyone deserves my nomination, it's him!"<br />
|-<br />
|align="center"|Tin Zaw, Richard Greenberg, Kelly FitzGerald, Stuart Schwartz, Edward Bonver|| align="center"|Los Angeles||align="center"|"Tin was the leader of OWASP for the last several years. During his tenure, Tin created a formal board, solidified partnerships with ISSA, SCALE, B-Sides, .Net users groups and CSA, helped other nearby chapters and, took a leading role in the organization of the 2010 Global OWASP AppSec conference in Irvine, presented in several OWASP conferences e chapters and served as a chair in Global Chapter Committees.<br />
<br />
Under Tin's leadership, the chapter grew from an average attendance of ~20-30 security enthusiasts to ~60-100+ in every meetings. OWASP LA conducted meetings religiously every month and the board goes out of their way to screen and invite excellent speakers. In addition, the board does an excellent job communicating the meeting agenda on our OWASP wiki and other social networks besides taking care of the meeting logistics (quality free food, sponsorship and more). The quality of the talks is so consistent that even other security organizations in LA (informally) acknowledge that OWASP has the best technical talks about security in town!"<br />
|-<br />
|align="center"|Trenton Ivey|| align="center"|Milwaukee||align="center"|"Prior to 2012 there was no OWASP chapter in the Milwaukee area. One man, Trenton Ivey, had a vision. That vision was to establish the Milwaukee OWASP chapter. Through his bold leadership and keen insight he worked with the national OWASP association. His tireless work resulted in a fully functional OWASP Milwaukee Chapter. The response from Information Security professionals in the area was overwhelming. He has provided the local Information Security community a means to learn new technologies and stay current with emerging trends. Most importantly, we have the opportunity to collaborate and share ideas with our peers.<br />
<br />
His dedication to the field of information security and passion for spreading knowledge has enriched the lives of chapter members."<br />
|-<br />
|align="center"|[[David Hughes]]||align="center"|Austin||align="center"|"David is the current leader of the OWASP Austin Chapter and has done an amazing job over the past year and a half to continue what makes Austin the best chapter in the country. Under his leadership, the chapter meetings have grown significantly in size, we have monthly sponsored happy hours, we do weekly study groups, and we hosted the single largest fundraiser for OWASP with 750 attendees at AppSec USA 2012. David has expanded our leadership team to include several new members and he has set us up for success for many years to come. OWASP Austin is the best chapter on the planet and David is the best active chapter leader hands down. He truly deserves this award."<br />
|-<br />
|align="center"|[[Dhruv Soi]]||align="center"|India||align="center"|"My journey with OWASP started in the year 2006 when I formally started the chapter activities in New Delhi, India. Online mailing list had merely 10-20 subscribers and the visibility in different sectors on local industry was too low. There weren't even other active regional chapters in India. <br />
<br />
We started with the chapter meets at very large software development companies in India which started providing visibility to the OWASP as a brand. In 2008, after 2 years of ground work, I announced the very first OWASP conference in the region. Holding a conference for the first time was a challenge but it went very well with participation from around 400 professionals. Our this year's event is lined up for August 2013.<br />
<br />
Later, I was promoted by OWASP Foundation as Chair - OWASP India to promote OWASP activities nation wide. Today, we have got 10 active chapters in India and I was instrumental in formation of many new chapters by coordinating with OWASP Foundation US and mentoring the new chapter leads. Our local New Delhi OWASP Mailing list has grown to nearly 800 subscribers which is amongst largest OWASP mailing lists and we have thus far organized 3 OWASP conferences. Good thing has been that OWASP's conferences in India are the largest cyber security events in the region.<br />
<br />
I even took an initiative to bring OWASP India to social media by creating LinkedIn profile, Facebook, Twitter and Googleplus pages and am actively maintaining all of these for promotion of local activities. Our LinkedIn and Facebook pages have more than 450 Fans/Followers which I see as a considerable number from a region.<br />
<br />
I also facilitated alliances with other not-for-profit organizations to gain further visibility in other communities.<br />
<br />
In most of our past events, I invited top brass from Government which helped in gaining more outreach into Government sector. We even included professors from Universities to make students also aware about OWASP. Total 500+ companies have so far participated in our last conferences.<br />
<br />
We always kept focus on quality and branding in our events which was lauded by a representative from OWASP Foundation in our 2012 event which is also mentioned in the post-event report.<br />
<br />
In these 7 years of my association, I have tried to promote OWASP in the region by all kind of promotional methods online, social media, private meetings, chapter meets, conferences, industry alliances etc.<br />
<br />
Wikipedia history, owasp.in website, OWASP Foundation report on 2012 OWASP India event, owasp-delhi mailing list subscriber list can be looked as supporting documents."<br />
|-<br />
|}<br />
<br />
*Best Project Leader<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | Name<br />
! scope="col" align="center" width="120" | Project <br />
! scope="col" align="center" width="800" | Citation<br />
<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]||align="center"|[https://www.owasp.org/index.php/OWASP_PHP_Security_Project PHP Security Project]||align="center"|I have known Abbas since last 4 months. Within this time I had the opportunity to see this person in action. He is one of the most dynamic, helpful and knowledgeable persons I know. I met him during Google Summer of Code. He is one of the mentors in this program. I have seen him help the people and the community even when things were out of reach. His breadth of knowledge in PHP is quite outstanding and his appeal to knowledge and security is quite inspiring for a lot of people including me. I wish him luck and I truly believe that this person deserves the WASPY award."<br />
<br />
"Abbas is doing an excellent work promoting tools and helping the community with his knowledge and inspiration"<br />
|-<br />
|align="center"| [[Andrew_van_der_Stock|Andrew van der Stock]]||align="center"|Developer Guide||align="center"|"Recognition outside community by AusCERT, development of <br />
- Application Security Verification Standard 2.0<br />
- OWASP Developer Guide 2013 with a lot of others<br />
- OWASP Proactive Controls 2013 with Jim Manico<br />
- and support of other projects like Coding and Testing Guides. "<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts]||align="center"|[https://www.owasp.org/index.php/ZAP ZAP]||align="center"|"For his work on ZAP and the constant effort he makes to improve and market the project." <br />
<br />
"Simon has superbly led the ZAP project through 2012 and into 2013. The project is the most healthy ongoing OWASP project and continues to be updated. It also participated successfully in the GSoC 2012 initiative. Simon has also managed to attract non-coder contributors such as for the translation of the tools content."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Epsylon Epsylon "psy"]|| align="center"|[https://www.owasp.org/index.php/OWASP_XSSER XSSer]||align="center"|From hackers database: http://www.soldierx.com/hdb/psy-epsylon<br />
<br />
-OWASP XSSer Founder and project leader.<br />
-GSoC 2013 proposed Mentor<br />
-Developer of: XSSer (http://xsser.sf.net)<br />
-Developer of: CIntruder (http://cintruder.sf.net)<br />
-Developer of: AnonTwi (http://anontwi.sf.net)<br />
-Developer of: UFOnet (http://ufonet.sf.net)<br />
-Different contributions to free software applications such as: Seeks-Project (http://www.seeks-project.info), Elgg (http://elgg.org), Lorea (http://lorea.org), etc...<br />
-OWASP Spain contributor.<br />
<br />
Epsylon has talked about OWASP XSSer at both security and not security events around in Europe: Spain, France, Netherlands and Germany. He is involved in some different social projects giving an important technical support and is doing a good job leading some security educational communities.<br />
<br />
+ Videos:<br />
<br />
XSSer: http://vimeo.com/album/1943305/video/42466699<br />
CIntruder: http://vimeo.com/42918290<br />
<br />
+ Slides:<br />
http://www.slideshare.net/rootedcon/lord-epsylon-xsser-the-cross-site-scripting-framework-rootedcon-2012<br />
http://www.scribd.com/doc/33492680/XSS-for-Fun-and-Profit"<br />
|-<br />
|}<br />
<br />
*Best Community Supporter – contributor to chapter, project or initiative<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | Name<br />
! scope="col" align="center" width="1000" | Citation<br />
|-<br />
|align="center"| [[Jason Montgomery]]||align="center"|"Jason has organized and run several training sessions for OWASP Columbus chapter in 2013. His training sessions help OWASP members better understand how to integrate security into the software development lifecycle."<br />
|-<br />
|align="center"|[[Fabio Cerullo]]||align="center"|"Fabio's work on:<br />
<br />
Google Season of Code<br />
Latam OWASP Tour<br />
EU OWASP Tour"<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:John.wilander John Wilander]||align="center"|"John has done so much for OWASP over the years. He deeply supports our international community.<br />
<br />
* John founded OWASP Sweden in 2007 and stepped down 2013 with a mailing list of 900+ chapter members, combined under the Sweden umbrella.<br />
<br />
* John chaired OWASP AppSec Research 2010 in Stockholm with Microsoft and Google as main sponsors and keynote speakers. Managed to gather a great team/committee. The profit funded a big part of the subsequent Global Summit.<br />
<br />
* John organized and chaired the Browser Security Track at the Global Summit in Portugal 2011. Round table discussions with Mozilla, Google, Microsoft, PayPal, Adobe, IETF, and some of the world's best web hackers (Mario Heiderich, Stefano di Paola, Gareth Heyes, Eduardo Vela Nava, and David Lindsay).<br />
<br />
* John Co-championed the Builders-Breakers-Defenders communities within OWASP, took on the Builders' Developer Outreach, and went on a two-year mission to give appsec talks at developer conferences, not security conferences."<br />
|-<br />
|}<br />
<br />
*Best Mission Outreach – grow the OWASP community<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | Name<br />
! scope="col" align="center" width="1000" | Citation<br />
|-<br />
|align="center"| [https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch]||align="center"|"Martin tirelessly attends every OWASP conference and supports the OWASP booth. But he also does this at many, many conferences. For example at this year's FOSDEM, Blackhat EU and Hack in the Box Amsterdam. These efforts take a lot of personal time, as well as effort transporting OWASP materials to and from venues."<br />
|-<br />
|align="center"|[[Fabio Cerullo]]||align="center"|"Fabio has been doing an amazing work for OWASP for so many years now, silently, without asking anything in return. I first met him at Appsec EU 2011, which was a great success. We then worked together during OWASP's first year as a GSoC organization, an initiative that Fabio put a lot of effort in and was a great success. He has also successfully run the LatAm tour and now the EU tour, a couple of very large and complex events, with amazing success in spreading the OWASP word in the corresponding areas.<br />
I believe that Fabio has provided amazing value to OWASP's mission, in an altruistic way, without pursuing promotion for himself or any other benefits. He's the most fitting for the "Best mission outreach" award."<br />
<br />
"For his effort in the Latam Tour, spreading OWASP brand and awareness in Latin America and the OWASP European Tour!"<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:John.wilander John Wilander]||align="center"|"John managed to stay a developer and had a massive influence on the developer community with his security knowledge. <br />
He did this next to his OWASP global involvement at various OWASP conferences of one he organized himself and leading the Swedish chapter."<br />
|-<br />
|}<br />
*Best Innovator – willingness to try new ideas<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | Name<br />
! scope="col" align="center" width="1000" | Citation<br />
|-<br />
|align="center"| [[Tanoh Aka Marcellin]]||align="center"|"la raison est que je voudrais lui faire gagner ce prix afin de pouvoir avoir accès aux nouveaux outils et surtout pour ce faire des contacts avec le groupe OWASP et pourquoi pas si possible, travailler avec ce groupe merci."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]||align="center"|"Abbas is developing a new php security library which seems very promising. There is no such a library yet and during the GSOC Abbas is working hard to implement this together as project leader with the student and volunteers "<br />
|-<br />
|}<br />
<br />
'''Rules:'''<br />
<br />
1. Board members can NOT be nominated<br />
<br />
2. Paid staff can NOT be nominated<br />
<br />
3. Must be a paid member to vote '''Not sure if you are a current member?''' [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0Ag5ZloRZ0SmjdFZILXhCRjQyMjVIRURhNFgzRVZ5aVE&hl=en#gid=0 Member Directory]<br />
<br />
4. All nominees will remain anonymous until August 19, 2013<br />
<br />
5. Anyone can nominate any individual<br />
<br />
6. One person per category may be nominated<br />
<br />
<br />
'''Sponsorship Opportunities:''' Please see our [https://docs.google.com/a/owasp.org/document/d/1VDBZ4vnJ52XkB2MJ35PCdMUTbS8qFmChkL24-GsygtY/edit# Sponsorship Document] <br />
<br />
These awards are funded solely by sponsors. If you or your company are interested in sponsoring this years WASPY Awards, please let us know by [http://www.tfaforms.com/274270 contacting us] <br />
<br />
<br />
'''Information about last years WASPY Awards including our winner Helen Gao and our sponsors Qualys and Trustwave can be found here: https://www.owasp.org/index.php/WASPY_Awards'''<br />
<br />
<br />
<br />
<center> <span style="color:red"><font size="5">'''2013 Sponsors'''</font></span><br />
<br />
<br />
<br />
<font size="6">'''Platinum'''</font><br />
<br />
<br />
{{MemberLinks|link=http://www.qualys.com|logo=Qualys_Logo_For_WASPY_Resized.png}}</div>Epsylonhttps://wiki.owasp.org/index.php?title=WASPY_Awards_2013&diff=157359WASPY Awards 20132013-08-26T16:35:54Z<p>Epsylon: </p>
<hr />
<div>[[File:WASPY-BANNER.jpg]]<br />
<br />
<br />
<br />
<font size="6">'''Web Application Security People of the Year Awards 2013'''</font><br />
<br />
<br />
'''Who:''' <br />
<br />
Anyone in the Community<br />
<br />
<br />
'''What:''' <br />
<br />
WASPY Awards 2013<br />
<br />
<br />
'''Where:'''<br />
<br />
Call for nominees http://www.tfaforms.com/284578<br />
<br />
<br />
'''When:''' <br />
<br />
May 7 – Call for nominees http://www.tfaforms.com/284578<br />
<br />
August 16 – Call for nominees closes<br />
<br />
August 19 – Announcement of nominees per category <br />
<br />
September 6 – Deadline for bio and profile picture to be submitted<br />
<br />
September 30 – Paid member deadline '''Not sure if you are a current member?''' [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0Ag5ZloRZ0SmjdElHZnp5VnozSXFfR0c3UkF1WHh5dVE&hl=en#gid=0 Member Directory]<br />
<br />
October 14 – October 25 – Voting process (will be included on the election ballot)<br />
<br />
October 29 – Announcement of winners in Special Edition connector & recognition at AppSecUSA 2013<br />
<br />
<br />
'''Why:''' <br />
<br />
Every year a group of individuals including researchers, developers, security professionals and others work to ensure the security of web applications. Some of these individuals are featured in news stories or at conferences as recognized experts. But there are many other ‘unsung heroes’ that work every day to improve web application security and yet are rarely recognized. <br />
<br />
<br />
'''Categories:'''<br />
<br />
*Best Chapter Leader<br />
<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | Name<br />
! scope="col" align="center" width="120" | Chapter <br />
! scope="col" align="center" width="800" | Citation<br />
|-<br />
|align="center"| [https://www.owasp.org/index.php/User:Paul_Scott Paul Scott]||align="center"|[https://www.owasp.org/index.php/Houston Houston]||align="center"|"Paul has taken the Houston chapter from non-existent to one of the best I've seen. Every month something is going on, whether it's a "mini-con", a hands-on workshop, or a happy hour. He is very organized and enthusiastic. This leads to having sponsors, which helps encourage attendance. I'm a former OWASP chapter leader in Kansas City and have attended OWASP chapter meetings in Houston, Denver, New York, and London."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Jonathan_Marcil Jonathan Marcil]||align="center"|[https://www.owasp.org/index.php/Montr%C3%A9al Montreal]||align="center"|"Jonathan has been really active since he has been elected as the new chapter leader in Montreal. He has been able to reach a lot of developers that had no idea what was OWASP by simply going in event and talking to them one-o-one. <br />
<br />
He's really dedicated to OWASP and his chapter, he spend at least 20 to 25 hours a week organizing, he also attended BlackHat and sat at the official OWASP booth to distribute and inform people about the wonderful organization that OWASP is.<br />
<br />
I've never seen a chapter leader active like him, he definately deserve an award."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]||align="center"|[https://www.owasp.org/index.php/Iran Iran] ||align="center"|"Abbas Naderi, Chapter Leader in Iran is one of the most helpful person I know. I choose him above all others because of his dedication towards pulling forward the entire security community. He demonstrated this act when he agreed to help me in Google Summer of Code Project even when he knew that he was not going to gain money or knowledge out of this. He helped my project just because he wanted everyone in security community to move forward. While working with him, I realized the vast amount of knowledge he possesses. His ideas and his dedication inspires me and I am proud to say that I have set my goal to be like him one day."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:John.wilander John Wilander]||align="center"|Sweden||align="center"|"John has shown that he is one of the best chapter leaders of OWASP. He recently stepped down, but I believe he should be given the award regardless."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Jack_Mannino Jack Mannino]|| align="center"|Northern Virginia||align="center"|"Jack Mannino has brought top-notch speakers from Jim Manico, to Dan Cornell, and the Twitter appsec team as well as secured an amazing spot with LivingSocial for our meetings. Jack is fostering not only interested speaking events but hackathons and code projects. He is definitely going above and beyond. Most importantly, this chapter is consistent and 100% vendor neutral! Under his leadership, things are already on the right path and headed for even greater destinations. <br />
<br />
Lastly, Jack is one of the leaders of the OWASP Mobile project as well the sole developer for the OWASP project GoatDroid. <br />
<br />
If anyone deserves my nomination, it's him!"<br />
|-<br />
|align="center"|Tin Zaw, Richard Greenberg, Kelly FitzGerald, Stuart Schwartz, Edward Bonver|| align="center"|Los Angeles||align="center"|"Tin was the leader of OWASP for the last several years. During his tenure, Tin created a formal board, solidified partnerships with ISSA, SCALE, B-Sides, .Net users groups and CSA, helped other nearby chapters and, took a leading role in the organization of the 2010 Global OWASP AppSec conference in Irvine, presented in several OWASP conferences e chapters and served as a chair in Global Chapter Committees.<br />
<br />
Under Tin's leadership, the chapter grew from an average attendance of ~20-30 security enthusiasts to ~60-100+ in every meetings. OWASP LA conducted meetings religiously every month and the board goes out of their way to screen and invite excellent speakers. In addition, the board does an excellent job communicating the meeting agenda on our OWASP wiki and other social networks besides taking care of the meeting logistics (quality free food, sponsorship and more). The quality of the talks is so consistent that even other security organizations in LA (informally) acknowledge that OWASP has the best technical talks about security in town!"<br />
|-<br />
|align="center"|Trenton Ivey|| align="center"|Milwaukee||align="center"|"Prior to 2012 there was no OWASP chapter in the Milwaukee area. One man, Trenton Ivey, had a vision. That vision was to establish the Milwaukee OWASP chapter. Through his bold leadership and keen insight he worked with the national OWASP association. His tireless work resulted in a fully functional OWASP Milwaukee Chapter. The response from Information Security professionals in the area was overwhelming. He has provided the local Information Security community a means to learn new technologies and stay current with emerging trends. Most importantly, we have the opportunity to collaborate and share ideas with our peers.<br />
<br />
His dedication to the field of information security and passion for spreading knowledge has enriched the lives of chapter members."<br />
|-<br />
|align="center"|[[David Hughes]]||align="center"|Austin||align="center"|"David is the current leader of the OWASP Austin Chapter and has done an amazing job over the past year and a half to continue what makes Austin the best chapter in the country. Under his leadership, the chapter meetings have grown significantly in size, we have monthly sponsored happy hours, we do weekly study groups, and we hosted the single largest fundraiser for OWASP with 750 attendees at AppSec USA 2012. David has expanded our leadership team to include several new members and he has set us up for success for many years to come. OWASP Austin is the best chapter on the planet and David is the best active chapter leader hands down. He truly deserves this award."<br />
|-<br />
|align="center"|[[Dhruv Soi]]||align="center"|India||align="center"|"My journey with OWASP started in the year 2006 when I formally started the chapter activities in New Delhi, India. Online mailing list had merely 10-20 subscribers and the visibility in different sectors on local industry was too low. There weren't even other active regional chapters in India. <br />
<br />
We started with the chapter meets at very large software development companies in India which started providing visibility to the OWASP as a brand. In 2008, after 2 years of ground work, I announced the very first OWASP conference in the region. Holding a conference for the first time was a challenge but it went very well with participation from around 400 professionals. Our this year's event is lined up for August 2013.<br />
<br />
Later, I was promoted by OWASP Foundation as Chair - OWASP India to promote OWASP activities nation wide. Today, we have got 10 active chapters in India and I was instrumental in formation of many new chapters by coordinating with OWASP Foundation US and mentoring the new chapter leads. Our local New Delhi OWASP Mailing list has grown to nearly 800 subscribers which is amongst largest OWASP mailing lists and we have thus far organized 3 OWASP conferences. Good thing has been that OWASP's conferences in India are the largest cyber security events in the region.<br />
<br />
I even took an initiative to bring OWASP India to social media by creating LinkedIn profile, Facebook, Twitter and Googleplus pages and am actively maintaining all of these for promotion of local activities. Our LinkedIn and Facebook pages have more than 450 Fans/Followers which I see as a considerable number from a region.<br />
<br />
I also facilitated alliances with other not-for-profit organizations to gain further visibility in other communities.<br />
<br />
In most of our past events, I invited top brass from Government which helped in gaining more outreach into Government sector. We even included professors from Universities to make students also aware about OWASP. Total 500+ companies have so far participated in our last conferences.<br />
<br />
We always kept focus on quality and branding in our events which was lauded by a representative from OWASP Foundation in our 2012 event which is also mentioned in the post-event report.<br />
<br />
In these 7 years of my association, I have tried to promote OWASP in the region by all kind of promotional methods online, social media, private meetings, chapter meets, conferences, industry alliances etc.<br />
<br />
Wikipedia history, owasp.in website, OWASP Foundation report on 2012 OWASP India event, owasp-delhi mailing list subscriber list can be looked as supporting documents."<br />
|-<br />
|}<br />
<br />
*Best Project Leader<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | Name<br />
! scope="col" align="center" width="120" | Project <br />
! scope="col" align="center" width="800" | Citation<br />
<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]||align="center"|[https://www.owasp.org/index.php/OWASP_PHP_Security_Project PHP Security Project]||align="center"|I have known Abbas since last 4 months. Within this time I had the opportunity to see this person in action. He is one of the most dynamic, helpful and knowledgeable persons I know. I met him during Google Summer of Code. He is one of the mentors in this program. I have seen him help the people and the community even when things were out of reach. His breadth of knowledge in PHP is quite outstanding and his appeal to knowledge and security is quite inspiring for a lot of people including me. I wish him luck and I truly believe that this person deserves the WASPY award."<br />
<br />
"Abbas is doing an excellent work promoting tools and helping the community with his knowledge and inspiration"<br />
|-<br />
|align="center"| [[Andrew_van_der_Stock|Andrew van der Stock]]||align="center"|Developer Guide||align="center"|"Recognition outside community by AusCERT, development of <br />
- Application Security Verification Standard 2.0<br />
- OWASP Developer Guide 2013 with a lot of others<br />
- OWASP Proactive Controls 2013 with Jim Manico<br />
- and support of other projects like Coding and Testing Guides. "<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts]||align="center"|[https://www.owasp.org/index.php/ZAP ZAP]||align="center"|"For his work on ZAP and the constant effort he makes to improve and market the project." <br />
<br />
"Simon has superbly led the ZAP project through 2012 and into 2013. The project is the most healthy ongoing OWASP project and continues to be updated. It also participated successfully in the GSoC 2012 initiative. Simon has also managed to attract non-coder contributors such as for the translation of the tools content."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Epsylon R. Mérida "psy"]|| align="center"|[https://www.owasp.org/index.php/OWASP_XSSER XSSer]||align="center"|From hackers database: http://www.soldierx.com/hdb/psy-epsylon<br />
<br />
-OWASP XSSer Founder and project leader.<br />
-GSoC 2013 proposed Mentor<br />
-Developer of: XSSer (http://xsser.sf.net)<br />
-Developer of: CIntruder (http://cintruder.sf.net)<br />
-Developer of: AnonTwi (http://anontwi.sf.net)<br />
-Developer of: UFOnet (http://ufonet.sf.net)<br />
-Different contributions to free software applications such as: Seeks-Project (http://www.seeks-project.info), Elgg (http://elgg.org), Lorea (http://lorea.org), etc...<br />
-OWASP Spain contributor.<br />
<br />
Epsylon has talked about OWASP XSSer at both security and not security events around in Europe: Spain, France, Netherlands and Germany. He is involved in some different social projects giving an important technical support and is doing a good job leading some security educational communities.<br />
<br />
+ Videos:<br />
<br />
XSSer: http://vimeo.com/album/1943305/video/42466699<br />
CIntruder: http://vimeo.com/42918290<br />
<br />
+ Slides:<br />
http://www.slideshare.net/rootedcon/lord-epsylon-xsser-the-cross-site-scripting-framework-rootedcon-2012<br />
http://www.scribd.com/doc/33492680/XSS-for-Fun-and-Profit"<br />
|-<br />
|}<br />
<br />
*Best Community Supporter – contributor to chapter, project or initiative<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | Name<br />
! scope="col" align="center" width="1000" | Citation<br />
|-<br />
|align="center"| [[Jason Montgomery]]||align="center"|"Jason has organized and run several training sessions for OWASP Columbus chapter in 2013. His training sessions help OWASP members better understand how to integrate security into the software development lifecycle."<br />
|-<br />
|align="center"|[[Fabio Cerullo]]||align="center"|"Fabio's work on:<br />
<br />
Google Season of Code<br />
Latam OWASP Tour<br />
EU OWASP Tour"<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:John.wilander John Wilander]||align="center"|"John has done so much for OWASP over the years. He deeply supports our international community.<br />
<br />
* John founded OWASP Sweden in 2007 and stepped down 2013 with a mailing list of 900+ chapter members, combined under the Sweden umbrella.<br />
<br />
* John chaired OWASP AppSec Research 2010 in Stockholm with Microsoft and Google as main sponsors and keynote speakers. Managed to gather a great team/committee. The profit funded a big part of the subsequent Global Summit.<br />
<br />
* John organized and chaired the Browser Security Track at the Global Summit in Portugal 2011. Round table discussions with Mozilla, Google, Microsoft, PayPal, Adobe, IETF, and some of the world's best web hackers (Mario Heiderich, Stefano di Paola, Gareth Heyes, Eduardo Vela Nava, and David Lindsay).<br />
<br />
* John Co-championed the Builders-Breakers-Defenders communities within OWASP, took on the Builders' Developer Outreach, and went on a two-year mission to give appsec talks at developer conferences, not security conferences."<br />
|-<br />
|}<br />
<br />
*Best Mission Outreach – grow the OWASP community<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | Name<br />
! scope="col" align="center" width="1000" | Citation<br />
|-<br />
|align="center"| [https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch]||align="center"|"Martin tirelessly attends every OWASP conference and supports the OWASP booth. But he also does this at many, many conferences. For example at this year's FOSDEM, Blackhat EU and Hack in the Box Amsterdam. These efforts take a lot of personal time, as well as effort transporting OWASP materials to and from venues."<br />
|-<br />
|align="center"|[[Fabio Cerullo]]||align="center"|"Fabio has been doing an amazing work for OWASP for so many years now, silently, without asking anything in return. I first met him at Appsec EU 2011, which was a great success. We then worked together during OWASP's first year as a GSoC organization, an initiative that Fabio put a lot of effort in and was a great success. He has also successfully run the LatAm tour and now the EU tour, a couple of very large and complex events, with amazing success in spreading the OWASP word in the corresponding areas.<br />
I believe that Fabio has provided amazing value to OWASP's mission, in an altruistic way, without pursuing promotion for himself or any other benefits. He's the most fitting for the "Best mission outreach" award."<br />
<br />
"For his effort in the Latam Tour, spreading OWASP brand and awareness in Latin America and the OWASP European Tour!"<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:John.wilander John Wilander]||align="center"|"John managed to stay a developer and had a massive influence on the developer community with his security knowledge. <br />
He did this next to his OWASP global involvement at various OWASP conferences of one he organized himself and leading the Swedish chapter."<br />
|-<br />
|}<br />
*Best Innovator – willingness to try new ideas<br />
{| border="1" cellpadding="2"<br />
! scope="col" align="center" width="150" | Name<br />
! scope="col" align="center" width="1000" | Citation<br />
|-<br />
|align="center"| [[Tanoh Aka Marcellin]]||align="center"|"la raison est que je voudrais lui faire gagner ce prix afin de pouvoir avoir accès aux nouveaux outils et surtout pour ce faire des contacts avec le groupe OWASP et pourquoi pas si possible, travailler avec ce groupe merci."<br />
|-<br />
|align="center"|[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]||align="center"|"Abbas is developing a new php security library which seems very promising. There is no such a library yet and during the GSOC Abbas is working hard to implement this together as project leader with the student and volunteers "<br />
|-<br />
|}<br />
<br />
'''Rules:'''<br />
<br />
1. Board members can NOT be nominated<br />
<br />
2. Paid staff can NOT be nominated<br />
<br />
3. Must be a paid member to vote '''Not sure if you are a current member?''' [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0Ag5ZloRZ0SmjdFZILXhCRjQyMjVIRURhNFgzRVZ5aVE&hl=en#gid=0 Member Directory]<br />
<br />
4. All nominees will remain anonymous until August 19, 2013<br />
<br />
5. Anyone can nominate any individual<br />
<br />
6. One person per category may be nominated<br />
<br />
<br />
'''Sponsorship Opportunities:''' Please see our [https://docs.google.com/a/owasp.org/document/d/1VDBZ4vnJ52XkB2MJ35PCdMUTbS8qFmChkL24-GsygtY/edit# Sponsorship Document] <br />
<br />
These awards are funded solely by sponsors. If you or your company are interested in sponsoring this years WASPY Awards, please let us know by [http://www.tfaforms.com/274270 contacting us] <br />
<br />
<br />
'''Information about last years WASPY Awards including our winner Helen Gao and our sponsors Qualys and Trustwave can be found here: https://www.owasp.org/index.php/WASPY_Awards'''<br />
<br />
<br />
<br />
<center> <span style="color:red"><font size="5">'''2013 Sponsors'''</font></span><br />
<br />
<br />
<br />
<font size="6">'''Platinum'''</font><br />
<br />
<br />
{{MemberLinks|link=http://www.qualys.com|logo=Qualys_Logo_For_WASPY_Resized.png}}</div>Epsylonhttps://wiki.owasp.org/index.php?title=User:Epsylon&diff=157358User:Epsylon2013-08-26T16:28:51Z<p>Epsylon: </p>
<hr />
<div> GPG ID: ''0xB8AC3776''<br />
<br />
* Website:<br />
o [http://lordepsylon.net '''http://lordepsylon.net''']<br />
<br />
* Email:<br />
o [mailto:root@lordepsylon.net '''psy''']<br />
o [mailto:epsylon@riseup,net '''epsylon''']<br />
<br />
* Microblogging:<br />
o [https://identi.ca/psy '''identi.ca''']</div>Epsylonhttps://wiki.owasp.org/index.php?title=OWASP_XSSER&diff=150678OWASP XSSER2013-04-29T11:35:18Z<p>Epsylon: </p>
<hr />
<div>[[Category:OWASP Project]]<br />
{{Social Media Links}}<br><br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''<br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''XSSer: The Cross Site Scripting Framework''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description''' <br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<br />
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''<br />
| style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Epsylon|'''psy''']]<br />
| style="width:14%; background:#cccccc" align="center"|Roadmap <br>[http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']<br />
| style="width:14%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']<br />
| style="width:14%; background:#cccccc" align="center"|License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']<br />
| style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]<br />
| style="width:15%; background:#cccccc" align="center"|Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']<br />
|}<br />
{| style="width:100%" border="0" align="center" <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Release Status''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Main Links'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Documentation''' <br />
|-<br />
| style="width:29%; background:#cccccc" align="center"|[http://sourceforge.net/projects/xsser/files/latest/download '''v1.6b - "Grey Swarm"''']<br />
| style="width:42%; background:#cccccc" align="center"|[http://xsser.sf.net '''SF Website'''] <br> [http://sourceforge.net/projects/xsser/files/ '''Code Releases''']<br />
| style="width:29%; background:#cccccc" align="center"| Paper: 'XSS for fun and profit':<br>[http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']<br />
|}<br />
----<br />
=GSoC 2013 Proposal=<br />
<br />
[http://owasp.com/index.php/GSoC2013_Ideas#OWASP_XSSer_Project '''OWASP XSSer Project Ideas''']<br />
<br />
Students presentations, questions and more: [http://sourceforge.net/mailarchive/forum.php?forum_name=xsser-users '''Mailing list archive: GSoC13 thread''']<br />
<br />
Proposals 'on stage':<br />
<ul><br />
<li>http://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/mxprm/17001</li><br />
<li>http://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/badc0re/1</li><br />
<li>http://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/whenov/1</li><br />
</ul><br />
<br />
----<br />
=Current Version=<br />
<br />
<table><br />
<tr><br />
<td>XSSer v1.6b ("The Mosquito: <u>Grey Swarm!</u>")<br><br><br />
[[Image:xsser-greyswarm_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm.png '''+ Click for Zoom''']]<br><br />
<br />
<ul><br />
<li>Download original source code: [http://sourceforge.net/projects/xsser/files/xsser_1.6-1.tar.gz/download '''XSSer v1.6 -beta-''']</li><br />
<li>Ubuntu/Debian package: [http://xsser.sf.net/xsser/xsser-1.6_all.deb.tar.gz '''XSSer-1.6_all.deb''']</li><br />
<li>ArchLinux package: [http://aur.archlinux.org/packages.php?ID=43447 '''AUR link (v1.6b)''']</li><br />
<li>Gentoo package: [http://perso.ikujam.org/xsser-1.6.1-ebuild.tar.gz '''XSSer Gentoo ebuild (v1.6b)''']</li><br />
<li>RPM package: [http://xsser.sf.net/xsser/xsser-1.6-1.noarch.rpm.tar.gz '''XSSer-1.6-1.noarch.rpm''']</li><br />
<li>Or update your copy directly from the XSSer -Subversion- repository:</li><br />
<br />
<u>$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser</u><br><br><br />
<br />
</ul><br />
This version include more features on the GTK+ interface:<br />
</td><br />
</tr><br />
<tr><br />
<td><br />
<table><br />
<tr><br />
<br />
<td><br />
[[Image:xsser-greyswarm-donate_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-donate.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-map_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-map.png '''+ Click for Zoom''']]<br><br />
</td><br />
</tr><br />
<br />
<tr><br />
<td><br />
[[Image:xsser-greyswarm-check_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-check.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-conn_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-conn.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
</tr><br />
</table><br />
</td><br />
</tr><br />
</table><br />
TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu [[Image:xssericon_32x32.png]]<br />
<br />
=Installation=<br />
<br />
<p><br />
XSSer runs on many platforms. It requires Python and the following libraries:<br><br><br />
<br />
- python-pycurl - Python bindings to libcurl<br><br />
<br />
- python-beautifulsoup - error-tolerant HTML parser for Python<br><br />
- python-libxml2 - Python bindings for the GNOME XML library<br><br />
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library<br><br><br />
<br />
On Debian-based systems (ex: Ubuntu), run: <br><br><br />
<br />
sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip<br />
</p><br />
<br />
=How to Use=<br />
<br />
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]<br />
<br />
[http://xsser.sourceforge.net/#usage '''Usage'''] <br><br />
[http://xsser.sourceforge.net/#examples '''Examples'''] <br><br />
[http://xsser.sourceforge.net/#docs '''Documentation'''] <br><br />
[http://xsser.sourceforge.net/#screenshots '''Screenshots'''] <br><br />
[http://xsser.sourceforge.net/#videotutorials '''Videos'''] <br><br />
<br />
=Changelog=<br />
<br />
'''November, 28, 2011:'''<br><br />
<br />
Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.<br><br />
<br />
GTK: Added New features to GTK controller + Added Detailed views to GTK interface.<br><br><br />
<br />
'''February, 25, 2011:'''<br><br />
<br />
Added package for Archlinux.<br><br><br />
<br />
'''February, 24, 2011:'''<br><br />
<br />
Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.<br><br />
<br />
GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.<br><br><br />
<br />
'''November, 13, 2010:'''<br><br />
<br />
XSSer package for Archlinux can be found in the AUR.<br><br><br />
<br />
'''November, 11, 2010:'''<br><br />
<br />
Created XSSer package (v1.0) for Ubuntu/Debian based systems.<br><br><br />
<br />
'''November, 9, 2010:'''<br><br />
<br />
Added more advanced statistics results + Bugfixig.<br><br><br />
<br />
'''November, 7, 2010:'''<br><br />
<br />
Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.<br><br><br />
<br />
'''October, 8, 2010:'''<br><br />
<br />
POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer<br><br />
<br />
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --tweet<br><br />
<br />
Results of the -botnet- attack in real time:<br><br />
<br />
- http://identi.ca/xsserbot01<br><br />
- http://twitter.com/xsserbot01<br><br><br />
<br />
Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).<br><br><br />
<br />
'''September 22, 2010:'''<br><br />
<br />
Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.<br><br />
<br />
http://identi.ca/xsserbot01<br><br />
http://twitter.com/xsserbot01<br><br><br />
<br />
'''August 20, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).<br><br><br />
<br />
'''July 1, 2010:'''<br><br />
<br />
Dorking + Crawling + IP DWORD + Core clean.<br><br><br />
<br />
'''April 19, 2010:'''<br><br />
<br />
HTTPS implemented + patched bugs.<br><br><br />
<br />
'''March 22, 2010:'''<br><br />
<br />
Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.<br><br><br />
<br />
'''March 18, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (62 different XSS injections).<br><br><br />
<br />
'''March 16, 2010:'''<br><br />
<br />
Added new payload encoders to bypass filters. <br><br><br />
<br />
=Roadmap=<br />
<br />
Download roadmap planning: [http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']<br />
<br />
=Contact=<br />
<br />
'''Irc:''' <br />
<br />
* irc.freenode.net - channel: ''#xsser''<br />
<br />
'''Mailing lists:'''<br />
<br />
* Owasp: [https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] [mailto:owasp_xsser@lists.owasp.org '''Write''']<br />
<br />
* Sourceforge: [https://lists.sourceforge.net/lists/listinfo/xsser-users '''Subscribe'''] [mailto:xsser-users@lists.sourceforge.net '''Write''']<br />
<br />
'''Project Leader:'''<br />
<br />
GPG ID: ''0xB8AC3776''<br />
<br />
* Website:<br />
o [http://lordepsylon.net '''http://lordepsylon.net''']<br />
<br />
* Email:<br />
o [mailto:root@lordepsylon.net '''psy''']<br />
o [mailto:epsylon@riseup,net '''epsylon''']<br />
<br />
* Microblogging:<br />
o [https://identi.ca/psy '''identi.ca''']<br />
o [https://twitter.com/lord_epsylon '''twitter.com''']</div>Epsylonhttps://wiki.owasp.org/index.php?title=GSoC2013_Ideas&diff=148192GSoC2013 Ideas2013-03-19T23:39:21Z<p>Epsylon: </p>
<hr />
<div>==OWASP Project Requests==<br />
===OWASP PHP Security Project===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
<br />
'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.<br />
<br />
'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required. <br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.<br />
<br />
'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
===OWASP XSSer Project===<br />
<br />
XSSer has a correct engine implementation to search/exploit XSS vulnerabilities, but it is necessary to work on some different fields to obtain better results. Some of them are: to fight against "false positive" results, to implemenet a better human-readable output results and to develop some new features (like; CSSer, Code checks user inputs, etc...). Also, it will be nice to update the tool with more valid XSS vectors (DOM, DCP, reflected, etc...) and some "anti-anti-XSS" systems for more common browsers. <br />
<br />
There is a roadmap on a pdf file with all tasks required to advance to next release of 'XSSer' (v1.7b - Total Swarm!)<br />
<br />
Download: http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf <br />
<br />
'''Brief explanation:'''<br />
<br />
Below is shown a structure of phases and milestones code areas.<br />
<br />
Milestones:<br />
• Phase 1: Core:<br />
+ Bugfixing:<br />
- False positives<br />
- Fix “swarm” results<br />
- Fix 'maximize' screen (bug reported)<br />
- Add auto-update revision<br />
- Fix multithreading (review)<br />
- Research 'glibc' corruption<br />
<br />
+ Add crawlering for POST+GET (auto test 'whole' page forms)<br />
+ Update XSS payloads (vectors.py / DOM.py / DCP.py / etc...)<br />
+ Advance Statistics results (show more detailed outputs)<br />
+ Advance Exporting methods (create 'whitehat' reports (xml/json))<br />
+ Advance “WebSockets” technology on XSSer 'fortune' option<br />
+ Update Interface (GTK+)<br />
<br />
• Phase 2: New features:<br />
+ Add 'code pre-check' option: Users can set which code will return target's website, to try to evade false positive results.<br />
+ Add 'CSSer' option: Payloads for CSS injections.<br />
+ Research/Search anti-IDS/NIDS/IPS... codes to evade XSS filters.<br />
+ BurpXSSer: Create a Burp plugin (with Jython libs)<br />
+ ZAPXSSer: Create a ZAP plugin (with Jython libs)<br />
<br />
'''Expected results:'''<br />
<br />
* To deploy a new stable version of XSSer with GTk+/Web/Shell main features working propertly,<br />
<br />
The code should be:<br />
<br />
* Clean and easy to follow<br />
* Include a full set of unit tests<br />
* Include good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
XSSer is written in Python, so a good knowledge of this language is recommended, as is knowledge of HTML and Javascript. Also, is necessary to have some knowledge of application security and more in concret about XSS techniques.<br />
<br />
'''Skill Level:''' Medium<br />
<br />
'''Mentor: epsylon (psy) - OWASP XSSer Project Leader'''<br />
<br />
===OWASP ZAP: Dynamically Configurable actions===<br />
<br />
ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.<br />
<br />
It also supports a scripting interface, which is very powerful but at the moment difficult to use.<br />
<br />
This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.<br />
<br />
The challenge will be to make it as usable as possible while still providing a wide range of functionality.<br />
<br />
'''Brief explanation:'''<br />
<br />
This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.<br />
<br />
So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.<br />
<br />
Then they would define the actions, which could include:<br />
<br />
* Changing the request (adding, removing or replacing strings)<br />
* Raising alerts<br />
* Breaking (to replace existing break points)<br />
* Running custom scripts (which could do pretty much anything) <br />
<br />
They would then be able to switch the actions on and off from the full list of defined actions using checkboxes<br />
<br />
'''Expected results:'''<br />
<br />
* A new ZAP add-on providing the above functionality<br />
The code should be:<br />
* Clean and easy to follow<br />
* Include a full set of unit tests<br />
* Include good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''<br />
<br />
<br />
===OWASP ZAP: Enhanced HTTP Session Handling===<br />
<br />
'''Brief explanation:'''<br />
<br />
ZAP can currently manage multiple sessions. This development would allow ZAP to better handle HTTP Sessions to provide different views of a given target depending on the different user's permissions that the targeted site supports.<br />
<br />
This implementation such provide a set of methods to answer questions such as: 1)What nodes(pages) are available to a group of users and not to other groups of users 2)What nodes are available to different users but these contain significant differences in the HTTP headers and/or in the body content.<br />
<br />
This will allow ZAP to be used to detect access control issues which would otherwise require manual testing.<br />
Expected results:<br />
<br />
* ZAP will have an understanding of both users and roles and be able to associate them with HTTP sessions.<br />
* The user will be able to associate credentials with different roles allowing ZAP to automatically authenticate as any user / role.<br />
* ZAP will be able to spider an application using a given user/role.<br />
* ZAP will be able to report the differences between different HTTP sessions.<br />
* ZAP will be able to show different views of the site in the site's tree tab with the pages visible for each session.<br />
* ZAP will be able to attack one session based on the URLs accessed in another session and report which appear to work. <br />
<br />
'''Expected results:'''<br />
<br />
Users will be able to:<br />
* specify exactly which alerts are included, by context, site or on an individual alert basis<br />
* specify what information is included and how it is layed out<br />
* specify a range of output formats, at least including HTML and PDF<br />
* include details of what testing has been performed (automatically generated where possible)<br />
* apply their own branding<br />
* save report templates, and apply templates downloaded from the ZAP marketplace <br />
The code should be:<br />
* Clean and easy to follow<br />
* Include a full set of unit tests<br />
* Include good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and the HTTP protocol specification. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentor: Guifre Ruiz - OWASP ZAP Dev Team'''<br />
<br />
<br />
===OWASP ZAP: Advanced reporting===<br />
<br />
'''Brief explanation:'''<br />
<br />
The reports that ZAP generates are in a fixed format which is not particularly useful or attractive. This development would provide the user with a fine grained control over the contents, layout and branding of the reports.<br />
<br />
'''Expected results:'''<br />
<br />
A new user interface for genrating reports which is easy to use and provides the user with a wide range of options.<br />
The code should be:<br />
* Clean and easy to follow<br />
* Include a full set of unit tests<br />
* Include good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''<br />
<br />
<br />
===OWASP ZAP - SAML 2.0 Support===<br />
<br />
'''Brief explanation:'''<br />
<br />
SAML 2.0 is an XML-based federated single sign-on (FSSO) protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is an identity provider, and a SAML consumer, that is a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO). SAML specifications support many ways, called profiles and bindings, to generate and transport assertions between trusted entities The Web Browser SSO profile is of particular interest here since it enables web applications from 2 separate domains to leverage SSO easily by exchanging assertions via a web browser session.<br />
<br />
ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. This project will enhance those capabilities to be able to detect and fuzz various elements and attributes of a SAML Assertion.<br />
<br />
The scope of this project is limited to the following SAML bindings, profiles and protocols:<br />
<br />
Profiles :<br />
* Web Browser SSO <br />
<br />
Bindings:<br />
* HTTP POST<br />
* HTTP Redirect <br />
<br />
Protocols:<br />
* Authentication Request Protocol <br />
<br />
'''Expected results:'''<br />
<br />
This component would enable ZAP to:<br />
* Detect SAML Assertions in HTTP requests and responses<br />
* Decode SAML Assertions<br />
* Fuzz various entities and attributes within a SAML assertion<br />
* Re-encode the assertion and send it forward <br />
The code should be:<br />
* Clean and easy to follow<br />
* Include a full set of unit tests<br />
* Include good documentation<br />
<br />
Users would have a choice either to fuzz the attributes within an assertion or just add/remove arbitrary attribute (to check for XML and SAML Schema Conformance).<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and SAML 2.0 Protocol. Some knowledge of application security would be useful, but not essential. Understanding of SSO and Federated SSO is preferred.<br />
<br />
'''Mentor: Prasad N. Shenoy'''</div>Epsylonhttps://wiki.owasp.org/index.php?title=Testing_for_Captcha_(OWASP-AT-008)&diff=141067Testing for Captcha (OWASP-AT-008)2012-12-12T03:14:10Z<p>Epsylon: </p>
<hr />
<div>{{Template:OWASP Testing Guide v3}}<br />
<br />
== Brief Summary ==<br />
CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer. CAPTCHA implementations are often vulnerable to various kinds of attacks even if the generated CAPTCHA is unbreakable.<br />
This section will help you to identify these kinds of attacks.<br />
<br />
== Description of the Issue == <br />
Although CAPTCHA is not an authentication control, its use can be very efficient against:<br />
<br />
* [https://www.owasp.org/index.php/Testing_for_user_enumeration enumeration attacks] (login, registration or password reset forms are often vulnerable to enumeration attacks - without CAPTCHA the attacker can gain valid usernames, phone numbers or any other sensitive information in a short time)<br />
* automated sending of many GET/POST requests in a short time where it is undesirable (e.g., SMS/MMS/email flooding), CAPTCHA provides a rate limiting function<br />
* automated creation/using of the account that should be used only by humans (e.g., creating webmail accounts, stop spamming)<br />
* automated posting to blogs, forums and wikis, whether as a result of commercial promotion, or harassment and vandalism<br />
* any automated attacks that massively gain or misuse sensitive information from the application<br />
<br />
Using CAPTCHAs as a CSRF protection is not recommended (because there are [[Testing_for_CSRF (OWASP-SM-005)|stronger CSRF countermeasures]]).<br />
<br />
These vulnerabilities are quite common in many CAPTCHA implementations:<br />
<br />
* generated image CAPTCHA is weak, this can be identified (without any complex computer recognition systems) only by a simple comparison with already broken CAPTCHAs <br />
* generated CAPTCHA questions have a very limited set of possible answers <br />
<br />
* the value of decoded CAPTCHA is sent by the client (as a GET parameter or as a hidden field of POST form). This value is often: <br />
** encrypted by simple algorithm and can be easily decrypted by observing of multiple decoded CAPTCHA values<br />
** hashed by a weak hash function (e.g., MD5) that can be broken using a rainbow table<br />
<br />
* possibility of replay attacks: <br />
** the application does not keep track of what ID of CAPTCHA image is sent to the user. Therefore, the attacker can simply obtain an appropriate CAPTCHA image and its ID, solve it, and send the value of the decoded CAPTCHA with its corresponding ID (the ID of a CAPTCHA could be a hash of the decoded CAPTCHA or any unique identifier) <br />
** the application does not destroy the session when the correct phrase is entered - by reusing the session ID of a known CAPTCHA it is possible to bypass CAPTCHA protected page<br />
<br />
== Black Box testing and example ==<br />
<br />
Use an intercepting fault injection proxy (e.g., [[OWASP WebScarab Project|WebScarab]]) to:<br />
<br />
* identify all parameters that are sent in addition to the decoded CAPTCHA value from the client to the server (these parameters can contain encrypted or hashed values of decoded CAPTCHA and CAPTCHA ID number)<br />
* try to send an old decoded CAPTCHA value with an old CAPTCHA ID (if the application accepts them, it is vulnerable to replay attacks)<br />
* try to send an old decoded CAPTCHA value with an old session ID (if the application accepts them, it is vulnerable to replay attacks)<br />
<br />
Find out if similar CAPTCHAs have already been broken. Broken CAPTCHA images can be found here [http://www.cs.sfu.ca/~mori/research/gimpy/ez/ gimpy], [http://libcaca.zoy.org/wiki/PWNtcha PWNtcha], and [http://www.lafdc.com/captcha/ lafdc].<br />
<br />
Verify if the set of possible answers for a CAPTCHA is limited and can be easily determined.<br />
<br />
== Gray Box testing and example == <br />
<br />
Audit the application source code in order to reveal: <br />
<br />
* used CAPTCHA implementation and version - there are many known vulnerabilities in widely used CAPTCHA implementations, see http://osvdb.org/search?request=captcha<br />
* if the application sends encrypted or hashed value from the client (which is a very bad security practice) verify if used encryption or hash algorithm is sufficiently strong<br />
<br />
<br />
== References ==<br />
<br />
'''Captcha Decoders'''<br><br />
* [http://cintruder.sourceforge.net/ (Opensource) CaptchaIntruder]<br />
* [http://libcaca.zoy.org/wiki/PWNtcha (Opensource) PWNtcha captcha decoder]<br />
* [http://churchturing.org/captcha-dist/ (Opensource) The Captcha Breaker]<br />
* [http://www.lafdc.com/captcha/ (Commercial) Captcha decoder]<br />
* [http://www.captchakiller.com/ (Commercial - Free) Online Captcha Decoder] Free limited usage, enough for testing.<br />
<br />
'''Articles'''<br><br />
* [http://www.cs.sfu.ca/~mori/research/gimpy/ Breaking a Visual CAPTCHA]<br />
* [http://www.puremango.co.uk/cm_breaking_captcha_115.php Breaking CAPTCHAs Without Using OCR]<br />
* [http://securesoftware.blogspot.com/2007/11/captcha-placebo-security-control-for.html Why CAPTCHA is not a security control for user authentication]</div>Epsylonhttps://wiki.owasp.org/index.php?title=OWASP_XSSER&diff=135612OWASP XSSER2012-09-10T19:13:26Z<p>Epsylon: </p>
<hr />
<div>[[Category:OWASP Project]]<br />
{{Social Media Links}}<br><br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''<br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''XSSer: The Cross Site Scripting Framework''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description''' <br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<br />
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''<br />
| style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Epsylon|'''psy''']]<br />
| style="width:14%; background:#cccccc" align="center"|Roadmap <br>[http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']<br />
| style="width:14%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']<br />
| style="width:14%; background:#cccccc" align="center"|License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']<br />
| style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]<br />
| style="width:15%; background:#cccccc" align="center"|Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']<br />
|}<br />
{| style="width:100%" border="0" align="center" <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Release Status''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Main Links'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Documentation''' <br />
|-<br />
| style="width:29%; background:#cccccc" align="center"|[http://sourceforge.net/projects/xsser/files/latest/download '''v1.6b - "Grey Swarm"''']<br />
| style="width:42%; background:#cccccc" align="center"|[http://xsser.sf.net '''SF Website'''] <br> [http://sourceforge.net/projects/xsser/files/ '''Code Releases''']<br />
| style="width:29%; background:#cccccc" align="center"| Paper: 'XSS for fun and profit':<br>[http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']<br />
|}<br />
----<br />
=Current Version=<br />
<br />
<table><br />
<tr><br />
<td>XSSer v1.6b ("The Mosquito: <u>Grey Swarm!</u>")<br><br><br />
[[Image:xsser-greyswarm_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm.png '''+ Click for Zoom''']]<br><br />
<br />
<ul><br />
<li>Download original source code: [http://sourceforge.net/projects/xsser/files/xsser_1.6-1.tar.gz/download '''XSSer v1.6 -beta-''']</li><br />
<li>Ubuntu/Debian package: [http://xsser.sf.net/xsser/xsser-1.6_all.deb.tar.gz '''XSSer-1.6_all.deb''']</li><br />
<li>ArchLinux package: [http://aur.archlinux.org/packages.php?ID=43447 '''AUR link (v1.6b)''']</li><br />
<li>Gentoo package: [http://perso.ikujam.org/xsser-1.6.1-ebuild.tar.gz '''XSSer Gentoo ebuild (v1.6b)''']</li><br />
<li>RPM package: [http://xsser.sf.net/xsser/xsser-1.6-1.noarch.rpm.tar.gz '''XSSer-1.6-1.noarch.rpm''']</li><br />
<li>Or update your copy directly from the XSSer -Subversion- repository:</li><br />
<br />
<u>$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser</u><br><br><br />
<br />
</ul><br />
This version include more features on the GTK+ interface:<br />
</td><br />
</tr><br />
<tr><br />
<td><br />
<table><br />
<tr><br />
<br />
<td><br />
[[Image:xsser-greyswarm-donate_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-donate.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-map_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-map.png '''+ Click for Zoom''']]<br><br />
</td><br />
</tr><br />
<br />
<tr><br />
<td><br />
[[Image:xsser-greyswarm-check_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-check.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-conn_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-conn.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
</tr><br />
</table><br />
</td><br />
</tr><br />
</table><br />
TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu [[Image:xssericon_32x32.png]]<br />
<br />
=Installation=<br />
<br />
<p><br />
XSSer runs on many platforms. It requires Python and the following libraries:<br><br><br />
<br />
- python-pycurl - Python bindings to libcurl<br><br />
<br />
- python-beautifulsoup - error-tolerant HTML parser for Python<br><br />
- python-libxml2 - Python bindings for the GNOME XML library<br><br />
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library<br><br><br />
<br />
On Debian-based systems (ex: Ubuntu), run: <br><br><br />
<br />
sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip<br />
</p><br />
<br />
=How to Use=<br />
<br />
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]<br />
<br />
[http://xsser.sourceforge.net/#usage '''Usage'''] <br><br />
[http://xsser.sourceforge.net/#examples '''Examples'''] <br><br />
[http://xsser.sourceforge.net/#docs '''Documentation'''] <br><br />
[http://xsser.sourceforge.net/#screenshots '''Screenshots'''] <br><br />
[http://xsser.sourceforge.net/#videotutorials '''Videos'''] <br><br />
<br />
=Changelog=<br />
<br />
'''November, 28, 2011:'''<br><br />
<br />
Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.<br><br />
<br />
GTK: Added New features to GTK controller + Added Detailed views to GTK interface.<br><br><br />
<br />
'''February, 25, 2011:'''<br><br />
<br />
Added package for Archlinux.<br><br><br />
<br />
'''February, 24, 2011:'''<br><br />
<br />
Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.<br><br />
<br />
GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.<br><br><br />
<br />
'''November, 13, 2010:'''<br><br />
<br />
XSSer package for Archlinux can be found in the AUR.<br><br><br />
<br />
'''November, 11, 2010:'''<br><br />
<br />
Created XSSer package (v1.0) for Ubuntu/Debian based systems.<br><br><br />
<br />
'''November, 9, 2010:'''<br><br />
<br />
Added more advanced statistics results + Bugfixig.<br><br><br />
<br />
'''November, 7, 2010:'''<br><br />
<br />
Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.<br><br><br />
<br />
'''October, 8, 2010:'''<br><br />
<br />
POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer<br><br />
<br />
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --tweet<br><br />
<br />
Results of the -botnet- attack in real time:<br><br />
<br />
- http://identi.ca/xsserbot01<br><br />
- http://twitter.com/xsserbot01<br><br><br />
<br />
Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).<br><br><br />
<br />
'''September 22, 2010:'''<br><br />
<br />
Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.<br><br />
<br />
http://identi.ca/xsserbot01<br><br />
http://twitter.com/xsserbot01<br><br><br />
<br />
'''August 20, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).<br><br><br />
<br />
'''July 1, 2010:'''<br><br />
<br />
Dorking + Crawling + IP DWORD + Core clean.<br><br><br />
<br />
'''April 19, 2010:'''<br><br />
<br />
HTTPS implemented + patched bugs.<br><br><br />
<br />
'''March 22, 2010:'''<br><br />
<br />
Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.<br><br><br />
<br />
'''March 18, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (62 different XSS injections).<br><br><br />
<br />
'''March 16, 2010:'''<br><br />
<br />
Added new payload encoders to bypass filters. <br><br><br />
<br />
=Roadmap=<br />
<br />
Download roadmap planning: [http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']<br />
<br />
=Contact=<br />
<br />
'''Irc:''' <br />
<br />
* irc.freenode.net - channel: ''#xsser''<br />
<br />
'''Mailing lists:'''<br />
<br />
* Owasp: [https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] [mailto:owasp_xsser@lists.owasp.org '''Write''']<br />
<br />
* Sourceforge: [https://lists.sourceforge.net/lists/listinfo/xsser-users '''Subscribe'''] [mailto:xsser-users@lists.sourceforge.net '''Write''']<br />
<br />
'''Project Leader:'''<br />
<br />
GPG ID: ''0xB8AC3776''<br />
<br />
* Website:<br />
o [http://lordepsylon.net '''http://lordepsylon.net''']<br />
<br />
* Email:<br />
o [mailto:root@lordepsylon.net '''psy''']<br />
o [mailto:epsylon@riseup,net '''epsylon''']<br />
<br />
* Microblogging:<br />
o [https://identi.ca/psy '''identi.ca''']<br />
o [https://twitter.com/lord_epsylon '''twitter.com''']</div>Epsylonhttps://wiki.owasp.org/index.php?title=Projects/OWASP_XSSER&diff=135609Projects/OWASP XSSER2012-09-10T17:15:02Z<p>Epsylon: </p>
<hr />
<div>[[Category:OWASP Project]]<br />
{{Social Media Links}}<br><br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''<br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''XSSer: The Cross Site Scripting Framework''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description''' <br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<br />
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''<br />
| style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Epsylon|'''psy''']]<br />
| style="width:14%; background:#cccccc" align="center"|Roadmap <br>[http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']<br />
| style="width:14%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']<br />
| style="width:14%; background:#cccccc" align="center"|License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']<br />
| style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]<br />
| style="width:15%; background:#cccccc" align="center"|Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']<br />
|}<br />
{| style="width:100%" border="0" align="center" <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Release Status''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Main Links'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Documentation''' <br />
|-<br />
| style="width:29%; background:#cccccc" align="center"|[http://sourceforge.net/projects/xsser/files/latest/download '''v1.6b - "Grey Swarm"''']<br />
| style="width:42%; background:#cccccc" align="center"|[http://xsser.sf.net '''SF Website'''] <br> [http://sourceforge.net/projects/xsser/files/ '''Code Releases''']<br />
| style="width:29%; background:#cccccc" align="center"| Paper: 'XSS for fun and profit':<br>[http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']<br />
|}<br />
----<br />
=Current Version=<br />
<br />
<table><br />
<tr><br />
<td>XSSer v1.6b ("The Mosquito: <u>Grey Swarm!</u>")<br><br><br />
[[Image:xsser-greyswarm_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm.png '''+ Click for Zoom''']]<br><br />
<br />
<ul><br />
<li>Download original source code: [http://sourceforge.net/projects/xsser/files/xsser_1.6-1.tar.gz/download '''XSSer v1.6 -beta-''']</li><br />
<li>Ubuntu/Debian package: [http://xsser.sf.net/xsser/xsser-1.6_all.deb.tar.gz '''XSSer-1.6_all.deb''']</li><br />
<li>ArchLinux package: [http://aur.archlinux.org/packages.php?ID=43447 '''AUR link (v1.6b)''']</li><br />
<li>Gentoo package: [http://perso.ikujam.org/xsser-1.6.1-ebuild.tar.gz '''XSSer Gentoo ebuild (v1.6b)''']</li><br />
<li>RPM package: [http://xsser.sf.net/xsser/xsser-1.6-1.noarch.rpm.tar.gz '''XSSer-1.6-1.noarch.rpm''']</li><br />
<li>Or update your copy directly from the XSSer -Subversion- repository:</li><br />
<br />
<u>$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser</u><br><br><br />
<br />
</ul><br />
This version include more features on the GTK+ interface:<br />
</td><br />
</tr><br />
<tr><br />
<td><br />
<table><br />
<tr><br />
<br />
<td><br />
[[Image:xsser-greyswarm-donate_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-donate.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-map_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-map.png '''+ Click for Zoom''']]<br><br />
</td><br />
</tr><br />
<br />
<tr><br />
<td><br />
[[Image:xsser-greyswarm-check_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-check.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-conn_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-conn.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
</tr><br />
</table><br />
</td><br />
</tr><br />
</table><br />
TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu [[Image:xssericon_32x32.png]]<br />
<br />
=Installation=<br />
<br />
<p><br />
XSSer runs on many platforms. It requires Python and the following libraries:<br><br><br />
<br />
- python-pycurl - Python bindings to libcurl<br><br />
<br />
- python-beautifulsoup - error-tolerant HTML parser for Python<br><br />
- python-libxml2 - Python bindings for the GNOME XML library<br><br />
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library<br><br><br />
<br />
On Debian-based systems (ex: Ubuntu), run: <br><br><br />
<br />
sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip<br />
</p><br />
<br />
=How to Use=<br />
<br />
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]<br />
<br />
[http://xsser.sourceforge.net/#usage '''Usage'''] <br><br />
[http://xsser.sourceforge.net/#examples '''Examples'''] <br><br />
[http://xsser.sourceforge.net/#docs '''Documentation'''] <br><br />
[http://xsser.sourceforge.net/#screenshots '''Screenshots'''] <br><br />
[http://xsser.sourceforge.net/#videotutorials '''Videos'''] <br><br />
<br />
=Changelog=<br />
<br />
'''November, 28, 2011:'''<br><br />
<br />
Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.<br><br />
<br />
GTK: Added New features to GTK controller + Added Detailed views to GTK interface.<br><br><br />
<br />
'''February, 25, 2011:'''<br><br />
<br />
Added package for Archlinux.<br><br><br />
<br />
'''February, 24, 2011:'''<br><br />
<br />
Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.<br><br />
<br />
GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.<br><br><br />
<br />
'''November, 13, 2010:'''<br><br />
<br />
XSSer package for Archlinux can be found in the AUR.<br><br><br />
<br />
'''November, 11, 2010:'''<br><br />
<br />
Created XSSer package (v1.0) for Ubuntu/Debian based systems.<br><br><br />
<br />
'''November, 9, 2010:'''<br><br />
<br />
Added more advanced statistics results + Bugfixig.<br><br><br />
<br />
'''November, 7, 2010:'''<br><br />
<br />
Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.<br><br><br />
<br />
'''October, 8, 2010:'''<br><br />
<br />
POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer<br><br />
<br />
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --tweet<br><br />
<br />
Results of the -botnet- attack in real time:<br><br />
<br />
- http://identi.ca/xsserbot01<br><br />
- http://twitter.com/xsserbot01<br><br><br />
<br />
Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).<br><br><br />
<br />
'''September 22, 2010:'''<br><br />
<br />
Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.<br><br />
<br />
http://identi.ca/xsserbot01<br><br />
http://twitter.com/xsserbot01<br><br><br />
<br />
'''August 20, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).<br><br><br />
<br />
'''July 1, 2010:'''<br><br />
<br />
Dorking + Crawling + IP DWORD + Core clean.<br><br><br />
<br />
'''April 19, 2010:'''<br><br />
<br />
HTTPS implemented + patched bugs.<br><br><br />
<br />
'''March 22, 2010:'''<br><br />
<br />
Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.<br><br><br />
<br />
'''March 18, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (62 different XSS injections).<br><br><br />
<br />
'''March 16, 2010:'''<br><br />
<br />
Added new payload encoders to bypass filters. <br><br><br />
<br />
=Roadmap=<br />
<br />
Download roadmap planning: [https://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']<br />
<br />
=Contact=<br />
<br />
'''Irc:''' <br />
<br />
* irc.freenode.net - channel: ''#xsser''<br />
<br />
'''Mailing lists:'''<br />
<br />
* Owasp: [https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] [mailto:owasp_xsser@lists.owasp.org '''Write''']<br />
<br />
* Sourceforge: [https://lists.sourceforge.net/lists/listinfo/xsser-users '''Subscribe'''] [mailto:xsser-users@lists.sourceforge.net '''Write''']<br />
<br />
'''Project Leader:'''<br />
<br />
GPG ID: ''0xB8AC3776''<br />
<br />
* Website:<br />
o [http://lordepsylon.net '''http://lordepsylon.net''']<br />
<br />
* Email:<br />
o [mailto:root@lordepsylon.net '''psy''']<br />
o [mailto:epsylon@riseup,net '''epsylon''']<br />
<br />
* Microblogging:<br />
o [https://identi.ca/psy '''identi.ca''']<br />
o [https://twitter.com/lord_epsylon '''twitter.com''']</div>Epsylonhttps://wiki.owasp.org/index.php?title=OWASP_XSSER&diff=135076OWASP XSSER2012-08-30T14:25:23Z<p>Epsylon: </p>
<hr />
<div>[[Category:OWASP Project]]<br />
{{Social Media Links}}<br><br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''<br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''XSSer: The Cross Site Scripting Framework''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description''' <br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<br />
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''<br />
| style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Epsylon|'''psy''']]<br />
| style="width:14%; background:#cccccc" align="center"|Roadmap <br>[http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']<br />
| style="width:14%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']<br />
| style="width:14%; background:#cccccc" align="center"|License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']<br />
| style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]<br />
| style="width:15%; background:#cccccc" align="center"|Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']<br />
|}<br />
{| style="width:100%" border="0" align="center" <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Release Status''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Main Links'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Documentation''' <br />
|-<br />
| style="width:29%; background:#cccccc" align="center"|[http://sourceforge.net/projects/xsser/files/latest/download '''v1.6b - "Grey Swarm"''']<br />
| style="width:42%; background:#cccccc" align="center"|[http://xsser.sf.net '''SF Website'''] <br> [http://sourceforge.net/projects/xsser/files/ '''Code Releases''']<br />
| style="width:29%; background:#cccccc" align="center"| Paper: 'XSS for fun and profit':<br>[http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']<br />
|}<br />
----<br />
=Current Version=<br />
<br />
<table><br />
<tr><br />
<td>XSSer v1.6b ("The Mosquito: <u>Grey Swarm!</u>")<br><br><br />
[[Image:xsser-greyswarm_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm.png '''+ Click for Zoom''']]<br><br />
<br />
<ul><br />
<li>Download original source code: [http://sourceforge.net/projects/xsser/files/xsser_1.6-1.tar.gz/download '''XSSer v1.6 -beta-''']</li><br />
<li>Ubuntu/Debian package: [http://xsser.sf.net/xsser/xsser-1.6_all.deb.tar.gz '''XSSer-1.6_all.deb''']</li><br />
<li>ArchLinux package: [http://aur.archlinux.org/packages.php?ID=43447 '''AUR link (v1.6b)''']</li><br />
<li>Gentoo package: [http://perso.ikujam.org/xsser-1.6.1-ebuild.tar.gz '''XSSer Gentoo ebuild (v1.6b)''']</li><br />
<li>RPM package: [http://xsser.sf.net/xsser/xsser-1.6-1.noarch.rpm.tar.gz '''XSSer-1.6-1.noarch.rpm''']</li><br />
<li>Or update your copy directly from the XSSer -Subversion- repository:</li><br />
<br />
<u>$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser</u><br><br><br />
<br />
</ul><br />
This version include more features on the GTK+ interface:<br />
</td><br />
</tr><br />
<tr><br />
<td><br />
<table><br />
<tr><br />
<br />
<td><br />
[[Image:xsser-greyswarm-donate_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-donate.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-map_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-map.png '''+ Click for Zoom''']]<br><br />
</td><br />
</tr><br />
<br />
<tr><br />
<td><br />
[[Image:xsser-greyswarm-check_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-check.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-conn_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-conn.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
</tr><br />
</table><br />
</td><br />
</tr><br />
</table><br />
TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu [[Image:xssericon_32x32.png]]<br />
<br />
=Installation=<br />
<br />
<p><br />
XSSer runs on many platforms. It requires Python and the following libraries:<br><br><br />
<br />
- python-pycurl - Python bindings to libcurl<br><br />
<br />
- python-beautifulsoup - error-tolerant HTML parser for Python<br><br />
- python-libxml2 - Python bindings for the GNOME XML library<br><br />
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library<br><br><br />
<br />
On Debian-based systems (ex: Ubuntu), run: <br><br><br />
<br />
sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip<br />
</p><br />
<br />
=How to Use=<br />
<br />
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]<br />
<br />
[http://xsser.sourceforge.net/#usage '''Usage'''] <br><br />
[http://xsser.sourceforge.net/#examples '''Examples'''] <br><br />
[http://xsser.sourceforge.net/#docs '''Documentation'''] <br><br />
[http://xsser.sourceforge.net/#screenshots '''Screenshots'''] <br><br />
[http://xsser.sourceforge.net/#videotutorials '''Videos'''] <br><br />
<br />
=Changelog=<br />
<br />
'''November, 28, 2011:'''<br><br />
<br />
Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.<br><br />
<br />
GTK: Added New features to GTK controller + Added Detailed views to GTK interface.<br><br><br />
<br />
'''February, 25, 2011:'''<br><br />
<br />
Added package for Archlinux.<br><br><br />
<br />
'''February, 24, 2011:'''<br><br />
<br />
Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.<br><br />
<br />
GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.<br><br><br />
<br />
'''November, 13, 2010:'''<br><br />
<br />
XSSer package for Archlinux can be found in the AUR.<br><br><br />
<br />
'''November, 11, 2010:'''<br><br />
<br />
Created XSSer package (v1.0) for Ubuntu/Debian based systems.<br><br><br />
<br />
'''November, 9, 2010:'''<br><br />
<br />
Added more advanced statistics results + Bugfixig.<br><br><br />
<br />
'''November, 7, 2010:'''<br><br />
<br />
Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.<br><br><br />
<br />
'''October, 8, 2010:'''<br><br />
<br />
POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer<br><br />
<br />
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --tweet<br><br />
<br />
Results of the -botnet- attack in real time:<br><br />
<br />
- http://identi.ca/xsserbot01<br><br />
- http://twitter.com/xsserbot01<br><br><br />
<br />
Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).<br><br><br />
<br />
'''September 22, 2010:'''<br><br />
<br />
Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.<br><br />
<br />
http://identi.ca/xsserbot01<br><br />
http://twitter.com/xsserbot01<br><br><br />
<br />
'''August 20, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).<br><br><br />
<br />
'''July 1, 2010:'''<br><br />
<br />
Dorking + Crawling + IP DWORD + Core clean.<br><br><br />
<br />
'''April 19, 2010:'''<br><br />
<br />
HTTPS implemented + patched bugs.<br><br><br />
<br />
'''March 22, 2010:'''<br><br />
<br />
Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.<br><br><br />
<br />
'''March 18, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (62 different XSS injections).<br><br><br />
<br />
'''March 16, 2010:'''<br><br />
<br />
Added new payload encoders to bypass filters. <br><br><br />
<br />
=Roadmap=<br />
<br />
Download roadmap planning: [https://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']<br />
<br />
=Contact=<br />
<br />
'''Irc:''' <br />
<br />
* irc.freenode.net - channel: ''#xsser''<br />
<br />
'''Mailing lists:'''<br />
<br />
* Owasp: [https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] [mailto:owasp_xsser@lists.owasp.org '''Write''']<br />
<br />
* Sourceforge: [https://lists.sourceforge.net/lists/listinfo/xsser-users '''Subscribe'''] [mailto:xsser-users@lists.sourceforge.net '''Write''']<br />
<br />
'''Project Leader:'''<br />
<br />
GPG ID: ''0xB8AC3776''<br />
<br />
* Website:<br />
o [http://lordepsylon.net '''http://lordepsylon.net''']<br />
<br />
* Email:<br />
o [mailto:root@lordepsylon.net '''psy''']<br />
o [mailto:epsylon@riseup,net '''epsylon''']<br />
<br />
* Microblogging:<br />
o [https://identi.ca/psy '''identi.ca''']<br />
o [https://twitter.com/lord_epsylon '''twitter.com''']</div>Epsylonhttps://wiki.owasp.org/index.php?title=User:Epsylon&diff=135060User:Epsylon2012-08-30T09:12:08Z<p>Epsylon: </p>
<hr />
<div> GPG ID: ''0xB8AC3776''<br />
<br />
* Website:<br />
o [http://lordepsylon.net '''http://lordepsylon.net''']<br />
<br />
* Email:<br />
o [mailto:root@lordepsylon.net '''psy''']<br />
o [mailto:epsylon@riseup,net '''epsylon''']<br />
<br />
* Microblogging:<br />
o [https://identi.ca/psy '''identi.ca''']<br />
o [https://twitter.com/lord_epsylon '''twitter.com''']</div>Epsylonhttps://wiki.owasp.org/index.php?title=Projects/Owasp_XSSER/Roadmap&diff=135059Projects/Owasp XSSER/Roadmap2012-08-30T09:09:04Z<p>Epsylon: </p>
<hr />
<div>Main Project: [https://www.owasp.org/index.php/OWASP_XSSER '''Website''']<br><br />
<br />
Download roadmap planning: [https://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']</div>Epsylonhttps://wiki.owasp.org/index.php?title=OWASP_XSSER&diff=135058OWASP XSSER2012-08-30T09:08:13Z<p>Epsylon: </p>
<hr />
<div>[[Category:OWASP Project]]<br />
{{Social Media Links}}<br><br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''<br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''XSSer: The Cross Site Scripting Framework''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description''' <br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<br />
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''<br />
| style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Devloop|'''psy''']]<br />
| style="width:14%; background:#cccccc" align="center"|Roadmap <br>[http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']<br />
| style="width:14%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']<br />
| style="width:14%; background:#cccccc" align="center"|License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']<br />
| style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]<br />
| style="width:15%; background:#cccccc" align="center"|Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']<br />
|}<br />
{| style="width:100%" border="0" align="center" <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Release Status''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Main Links'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Documentation''' <br />
|-<br />
| style="width:29%; background:#cccccc" align="center"|[http://sourceforge.net/projects/xsser/files/latest/download '''v1.6b - "Grey Swarm"''']<br />
| style="width:42%; background:#cccccc" align="center"|[http://xsser.sf.net '''SF Website'''] <br> [http://sourceforge.net/projects/xsser/files/ '''Code Releases''']<br />
| style="width:29%; background:#cccccc" align="center"| Paper: 'XSS for fun and profit':<br>[http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']<br />
|}<br />
----<br />
=Current Version=<br />
<br />
<table><br />
<tr><br />
<td>XSSer v1.6b ("The Mosquito: <u>Grey Swarm!</u>")<br><br><br />
[[Image:xsser-greyswarm_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm.png '''+ Click for Zoom''']]<br><br />
<br />
<ul><br />
<li>Download original source code: [http://sourceforge.net/projects/xsser/files/xsser_1.6-1.tar.gz/download '''XSSer v1.6 -beta-''']</li><br />
<li>Ubuntu/Debian package: [http://xsser.sf.net/xsser/xsser-1.6_all.deb.tar.gz '''XSSer-1.6_all.deb''']</li><br />
<li>ArchLinux package: [http://aur.archlinux.org/packages.php?ID=43447 '''AUR link (v1.6b)''']</li><br />
<li>Gentoo package: [http://perso.ikujam.org/xsser-1.6.1-ebuild.tar.gz '''XSSer Gentoo ebuild (v1.6b)''']</li><br />
<li>RPM package: [http://xsser.sf.net/xsser/xsser-1.6-1.noarch.rpm.tar.gz '''XSSer-1.6-1.noarch.rpm''']</li><br />
<li>Or update your copy directly from the XSSer -Subversion- repository:</li><br />
<br />
<u>$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser</u><br><br><br />
<br />
</ul><br />
This version include more features on the GTK+ interface:<br />
</td><br />
</tr><br />
<tr><br />
<td><br />
<table><br />
<tr><br />
<br />
<td><br />
[[Image:xsser-greyswarm-donate_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-donate.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-map_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-map.png '''+ Click for Zoom''']]<br><br />
</td><br />
</tr><br />
<br />
<tr><br />
<td><br />
[[Image:xsser-greyswarm-check_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-check.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-conn_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-conn.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
</tr><br />
</table><br />
</td><br />
</tr><br />
</table><br />
TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu [[Image:xssericon_32x32.png]]<br />
<br />
=Installation=<br />
<br />
<p><br />
XSSer runs on many platforms. It requires Python and the following libraries:<br><br><br />
<br />
- python-pycurl - Python bindings to libcurl<br><br />
<br />
- python-beautifulsoup - error-tolerant HTML parser for Python<br><br />
- python-libxml2 - Python bindings for the GNOME XML library<br><br />
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library<br><br><br />
<br />
On Debian-based systems (ex: Ubuntu), run: <br><br><br />
<br />
sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip<br />
</p><br />
<br />
=How to Use=<br />
<br />
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]<br />
<br />
[http://xsser.sourceforge.net/#usage '''Usage'''] <br><br />
[http://xsser.sourceforge.net/#examples '''Examples'''] <br><br />
[http://xsser.sourceforge.net/#docs '''Documentation'''] <br><br />
[http://xsser.sourceforge.net/#screenshots '''Screenshots'''] <br><br />
[http://xsser.sourceforge.net/#videotutorials '''Videos'''] <br><br />
<br />
=Changelog=<br />
<br />
'''November, 28, 2011:'''<br><br />
<br />
Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.<br><br />
<br />
GTK: Added New features to GTK controller + Added Detailed views to GTK interface.<br><br><br />
<br />
'''February, 25, 2011:'''<br><br />
<br />
Added package for Archlinux.<br><br><br />
<br />
'''February, 24, 2011:'''<br><br />
<br />
Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.<br><br />
<br />
GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.<br><br><br />
<br />
'''November, 13, 2010:'''<br><br />
<br />
XSSer package for Archlinux can be found in the AUR.<br><br><br />
<br />
'''November, 11, 2010:'''<br><br />
<br />
Created XSSer package (v1.0) for Ubuntu/Debian based systems.<br><br><br />
<br />
'''November, 9, 2010:'''<br><br />
<br />
Added more advanced statistics results + Bugfixig.<br><br><br />
<br />
'''November, 7, 2010:'''<br><br />
<br />
Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.<br><br><br />
<br />
'''October, 8, 2010:'''<br><br />
<br />
POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer<br><br />
<br />
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --tweet<br><br />
<br />
Results of the -botnet- attack in real time:<br><br />
<br />
- http://identi.ca/xsserbot01<br><br />
- http://twitter.com/xsserbot01<br><br><br />
<br />
Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).<br><br><br />
<br />
'''September 22, 2010:'''<br><br />
<br />
Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.<br><br />
<br />
http://identi.ca/xsserbot01<br><br />
http://twitter.com/xsserbot01<br><br><br />
<br />
'''August 20, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).<br><br><br />
<br />
'''July 1, 2010:'''<br><br />
<br />
Dorking + Crawling + IP DWORD + Core clean.<br><br><br />
<br />
'''April 19, 2010:'''<br><br />
<br />
HTTPS implemented + patched bugs.<br><br><br />
<br />
'''March 22, 2010:'''<br><br />
<br />
Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.<br><br><br />
<br />
'''March 18, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (62 different XSS injections).<br><br><br />
<br />
'''March 16, 2010:'''<br><br />
<br />
Added new payload encoders to bypass filters. <br><br><br />
<br />
=Roadmap=<br />
<br />
Download roadmap planning: [https://xsser.sourceforge.net/xsser/xsser-roadmap.pdf '''Next Version''']<br />
<br />
=Contact=<br />
<br />
'''Irc:''' <br />
<br />
* irc.freenode.net - channel: ''#xsser''<br />
<br />
'''Mailing lists:'''<br />
<br />
* Owasp: [https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] [mailto:owasp_xsser@lists.owasp.org '''Write''']<br />
<br />
* Sourceforge: [https://lists.sourceforge.net/lists/listinfo/xsser-users '''Subscribe'''] [mailto:xsser-users@lists.sourceforge.net '''Write''']<br />
<br />
'''Project Leader:'''<br />
<br />
GPG ID: ''0xB8AC3776''<br />
<br />
* Website:<br />
o [http://lordepsylon.net '''http://lordepsylon.net''']<br />
<br />
* Email:<br />
o [mailto:root@lordepsylon.net '''psy''']<br />
o [mailto:epsylon@riseup,net '''epsylon''']<br />
<br />
* Microblogging:<br />
o [https://identi.ca/psy '''identi.ca''']<br />
o [https://twitter.com/lord_epsylon '''twitter.com''']</div>Epsylonhttps://wiki.owasp.org/index.php?title=Projects/Owasp_XSSER/Roadmap&diff=135057Projects/Owasp XSSER/Roadmap2012-08-30T09:06:13Z<p>Epsylon: Blanked the page</p>
<hr />
<div></div>Epsylonhttps://wiki.owasp.org/index.php?title=File:Xssericon_32x32.png&diff=135056File:Xssericon 32x32.png2012-08-30T09:05:35Z<p>Epsylon: </p>
<hr />
<div></div>Epsylonhttps://wiki.owasp.org/index.php?title=File:Xsser-greyswarm_sm.png&diff=135055File:Xsser-greyswarm sm.png2012-08-30T09:05:23Z<p>Epsylon: </p>
<hr />
<div></div>Epsylonhttps://wiki.owasp.org/index.php?title=File:Xsser-greyswarm-map_sm.png&diff=135054File:Xsser-greyswarm-map sm.png2012-08-30T09:05:14Z<p>Epsylon: </p>
<hr />
<div></div>Epsylonhttps://wiki.owasp.org/index.php?title=File:Xsser-greyswarm-donate_sm.png&diff=135053File:Xsser-greyswarm-donate sm.png2012-08-30T09:05:02Z<p>Epsylon: </p>
<hr />
<div></div>Epsylonhttps://wiki.owasp.org/index.php?title=File:Xsser-greyswarm-conn_sm.png&diff=135052File:Xsser-greyswarm-conn sm.png2012-08-30T09:04:52Z<p>Epsylon: </p>
<hr />
<div></div>Epsylonhttps://wiki.owasp.org/index.php?title=File:Xsser-greyswarm-check_sm.png&diff=135051File:Xsser-greyswarm-check sm.png2012-08-30T09:04:35Z<p>Epsylon: </p>
<hr />
<div></div>Epsylonhttps://wiki.owasp.org/index.php?title=OWASP_XSSER&diff=135050OWASP XSSER2012-08-30T09:03:36Z<p>Epsylon: </p>
<hr />
<div>[[Category:OWASP Project]]<br />
{{Social Media Links}}<br><br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''<br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''XSSer: The Cross Site Scripting Framework''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description''' <br />
| colspan="7" style="width:85%; background:#cccccc" align="left"|<br />
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''<br />
| style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Devloop|'''psy''']]<br />
| style="width:14%; background:#cccccc" align="center"|Roadmap <br>[http://xsser.sourceforge.net/xsser/xsser-roadmap-v1_7b.pdf '''Next Version''']<br />
| style="width:14%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']<br />
| style="width:14%; background:#cccccc" align="center"|License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']<br />
| style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]<br />
| style="width:15%; background:#cccccc" align="center"|Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']<br />
|}<br />
{| style="width:100%" border="0" align="center" <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Release Status''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Main Links'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Documentation''' <br />
|-<br />
| style="width:29%; background:#cccccc" align="center"|[http://sourceforge.net/projects/xsser/files/latest/download '''v1.6b - "Grey Swarm"''']<br />
| style="width:42%; background:#cccccc" align="center"|[http://xsser.sf.net '''SF Website'''] <br> [http://sourceforge.net/projects/xsser/files/ '''Code Releases''']<br />
| style="width:29%; background:#cccccc" align="center"| Paper: 'XSS for fun and profit':<br>[http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']<br />
|}<br />
----<br />
=Current Version=<br />
<br />
<table><br />
<tr><br />
<td>XSSer v1.6b ("The Mosquito: <u>Grey Swarm!</u>")<br><br><br />
[[Image:xsser-greyswarm_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm.png '''+ Click for Zoom''']]<br><br />
<br />
<ul><br />
<li>Download original source code: [http://sourceforge.net/projects/xsser/files/xsser_1.6-1.tar.gz/download '''XSSer v1.6 -beta-''']</li><br />
<li>Ubuntu/Debian package: [http://xsser.sf.net/xsser/xsser-1.6_all.deb.tar.gz '''XSSer-1.6_all.deb''']</li><br />
<li>ArchLinux package: [http://aur.archlinux.org/packages.php?ID=43447 '''AUR link (v1.6b)''']</li><br />
<li>Gentoo package: [http://perso.ikujam.org/xsser-1.6.1-ebuild.tar.gz '''XSSer Gentoo ebuild (v1.6b)''']</li><br />
<li>RPM package: [http://xsser.sf.net/xsser/xsser-1.6-1.noarch.rpm.tar.gz '''XSSer-1.6-1.noarch.rpm''']</li><br />
<li>Or update your copy directly from the XSSer -Subversion- repository:</li><br />
<br />
<u>$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser</u><br><br><br />
<br />
</ul><br />
This version include more features on the GTK+ interface:<br />
</td><br />
</tr><br />
<tr><br />
<td><br />
<table><br />
<tr><br />
<br />
<td><br />
[[Image:xsser-greyswarm-donate_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-donate.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-map_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-map.png '''+ Click for Zoom''']]<br><br />
</td><br />
</tr><br />
<br />
<tr><br />
<td><br />
[[Image:xsser-greyswarm-check_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-check.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
<td><br />
[[Image:xsser-greyswarm-conn_sm.png]]<br><br />
[[http://xsser.sf.net/xsser/xsser-greyswarm-conn.png '''+ Click for Zoom''']]<br><br />
</td><br />
<br />
</tr><br />
</table><br />
</td><br />
</tr><br />
</table><br />
TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu [[Image:xssericon_32x32.png]]<br />
<br />
=Installation=<br />
<br />
<p><br />
XSSer runs on many platforms. It requires Python and the following libraries:<br><br><br />
<br />
- python-pycurl - Python bindings to libcurl<br><br />
<br />
- python-beautifulsoup - error-tolerant HTML parser for Python<br><br />
- python-libxml2 - Python bindings for the GNOME XML library<br><br />
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library<br><br><br />
<br />
On Debian-based systems (ex: Ubuntu), run: <br><br><br />
<br />
sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip<br />
</p><br />
<br />
=How to Use=<br />
<br />
xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]<br />
<br />
[http://xsser.sourceforge.net/#usage '''Usage'''] <br><br />
[http://xsser.sourceforge.net/#examples '''Examples'''] <br><br />
[http://xsser.sourceforge.net/#docs '''Documentation'''] <br><br />
[http://xsser.sourceforge.net/#screenshots '''Screenshots'''] <br><br />
[http://xsser.sourceforge.net/#videotutorials '''Videos'''] <br><br />
<br />
=Changelog=<br />
<br />
'''November, 28, 2011:'''<br><br />
<br />
Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.<br><br />
<br />
GTK: Added New features to GTK controller + Added Detailed views to GTK interface.<br><br><br />
<br />
'''February, 25, 2011:'''<br><br />
<br />
Added package for Archlinux.<br><br><br />
<br />
'''February, 24, 2011:'''<br><br />
<br />
Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.<br><br />
<br />
GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.<br><br><br />
<br />
'''November, 13, 2010:'''<br><br />
<br />
XSSer package for Archlinux can be found in the AUR.<br><br><br />
<br />
'''November, 11, 2010:'''<br><br />
<br />
Created XSSer package (v1.0) for Ubuntu/Debian based systems.<br><br><br />
<br />
'''November, 9, 2010:'''<br><br />
<br />
Added more advanced statistics results + Bugfixig.<br><br><br />
<br />
'''November, 7, 2010:'''<br><br />
<br />
Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.<br><br><br />
<br />
'''October, 8, 2010:'''<br><br />
<br />
POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer<br><br />
<br />
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --tweet<br><br />
<br />
Results of the -botnet- attack in real time:<br><br />
<br />
- http://identi.ca/xsserbot01<br><br />
- http://twitter.com/xsserbot01<br><br><br />
<br />
Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).<br><br><br />
<br />
'''September 22, 2010:'''<br><br />
<br />
Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.<br><br />
<br />
http://identi.ca/xsserbot01<br><br />
http://twitter.com/xsserbot01<br><br><br />
<br />
'''August 20, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).<br><br><br />
<br />
'''July 1, 2010:'''<br><br />
<br />
Dorking + Crawling + IP DWORD + Core clean.<br><br><br />
<br />
'''April 19, 2010:'''<br><br />
<br />
HTTPS implemented + patched bugs.<br><br><br />
<br />
'''March 22, 2010:'''<br><br />
<br />
Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.<br><br><br />
<br />
'''March 18, 2010:'''<br><br />
<br />
Added attack payloads to auto-payloader (62 different XSS injections).<br><br><br />
<br />
'''March 16, 2010:'''<br><br />
<br />
Added new payload encoders to bypass filters. <br><br><br />
<br />
=Roadmap=<br />
<br />
Download roadmap planning: [https://xsser.sourceforge.net/xsser/xsser-roadmap-v1_7b.pdf '''Next Version''']<br />
<br />
=Contact=<br />
<br />
'''Irc:''' <br />
<br />
* irc.freenode.net - channel: ''#xsser''<br />
<br />
'''Mailing lists:'''<br />
<br />
* Owasp: [https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] [mailto:owasp_xsser@lists.owasp.org '''Write''']<br />
<br />
* Sourceforge: [https://lists.sourceforge.net/lists/listinfo/xsser-users '''Subscribe'''] [mailto:xsser-users@lists.sourceforge.net '''Write''']<br />
<br />
'''Project Leader:'''<br />
<br />
GPG ID: ''0xB8AC3776''<br />
<br />
* Website:<br />
o [http://lordepsylon.net '''http://lordepsylon.net''']<br />
<br />
* Email:<br />
o [mailto:root@lordepsylon.net '''psy''']<br />
o [mailto:epsylon@riseup,net '''epsylon''']<br />
<br />
* Microblogging:<br />
o [https://identi.ca/psy '''identi.ca''']<br />
o [https://twitter.com/lord_epsylon '''twitter.com''']</div>Epsylon