OWASP - User contributions [en]

OWASP XSSER

2019-09-23T09:19:45Z

Psy: updated content to new release published

[[Category:OWASP Project]]
{{Social Media Links}} 

----
{| style="width:100%" border="0" align="center"
! colspan="8" style="background:#4058A0; color:white" align="center" |'''OWASP XSSer Project''' Web application vulnerability scanner / Security auditor
|-
| style="width:15%; background:#7B8ABD" align="center" |'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left" |'''XSSer: "The Cross Site Scripting Framework"'''
|-
| style="width:15%; background:#7B8ABD" align="center" | '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left" |
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.
|-
| style="width:15%; background:#7B8ABD" align="center" |'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center" |Project Leader [[User:Psy|'''psy''']]
| style="width:14%; background:#cccccc" align="center" |Mailing List [https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']
| style="width:14%; background:#cccccc" align="center" |License [http://gplv3.fsf.org/ '''GNU GPLv3''']
| style="width:14%; background:#cccccc" align="center" |Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]
| style="width:15%; background:#cccccc" align="center" |Support [http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards'''] [http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']
|}
{| style="width:100%" border="0" align="center"
! style="background:#7B8ABD; color:white" align="center" |'''Last Package'''
! style="background:#7B8ABD; color:white" align="center" |'''Main Links'''
! style="background:#7B8ABD; color:white" align="center" |'''Related Documentation'''
|-
| style="width:29%; background:#cccccc" align="center" |[https://xsser.03c8.net/xsser/xsser_1.8-1.tar.gz '''XSSer "The Hive!" (v1.8-1)''']
| style="width:42%; background:#cccccc" align="center" |[https://xsser.03c8.net '''Official site'''] [https://github.com/epsylon/xsser '''Code Repository''']
| style="width:29%; background:#cccccc" align="center" | Paper(2009): 'XSS for fun and profit': [https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']
|}

=Current Version=
<table>
<tr>
<td>
[[File:Thehive1.png|thumb|TheHive]] 
XSSer v1.8-1 ("The Hive!") 

<ul>
<li>Download (.tar.gz) source code: [https://xsser.03c8.net/xsser/xsser_1.8-1.tar.gz '''XSSer_v1.8-1.tar.gz''']</li>
<li>Download (.zip) source code: [https://xsser.03c8.net/xsser/xsser_1.8-1.zip '''XSSer_v1.8-1.zip''']</li>
<li>Or update your copy directly from the XSSer -Github- repository:</li>

$ git clone https://github.com/epsylon/xsser

</ul>
This version include more features on the GTK+ interface: xsser --gtk
</td>
</tr>
<tr>
<td>
<table>
<tr>

<td>
[[Image:Xsser-zika-gui.png]] 
[[https://www.owasp.org/images/f/f7/Xsser-zika-gui.png '''+ Click for Zoom''']] 
</td>

<td>
[[Image:Xsser-zika-tor.png]] 
[[https://www.owasp.org/images/b/b1/Xsser-zika-tor.png '''+ Click for Zoom''']] 
</td>
</tr>

<tr>
<td>
[[Image:Xsser-zika-map.png]] 
[[https://www.owasp.org/images/7/74/Xsser-zika-map.png '''+ Click for Zoom''']] 
</td>

<td>
[[Image:Xsser-zika-spidering.png]] 
[[https://www.owasp.org/images/3/38/Xsser-zika-spidering.png '''+ Click for Zoom''']] 
</td>

</tr>
</table>
</td>
</tr>
</table>
= How it works=
 
[[Image:Xsser-url-schema.png]] 
[[https://www.owasp.org/images/f/f9/Xsser-url-schema.png '''+ Click for Zoom''']] 
 
=Installation=

XSSer runs on many platforms. It requires Python and the following libraries: 

- python-pycurl - Python bindings to libcurl 
- python-xmlbuilder - create xml/(x)html files - Python 2.x 
- python-beautifulsoup - error-tolerant HTML parser for Python 
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library 

On Debian-based systems (ex: Ubuntu), run: 

$ sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip 


=Options=

Usage:

xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]
[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}

Cross Site "Scripter" is an automatic -framework- to detect, exploit and
report XSS vulnerabilities in web-based applications.

Options:
--version show program's version number and exit
-h, --help show this help message and exit
-s, --statistics show advanced statistics output results
-v, --verbose active verbose mode output results
--gtk launch XSSer GTK Interface
--wizard start Wizard Helper!

*Special Features*:
You can set Vector(s) and Bypasser(s) to build complex scripts for XSS
code embedded. XST allows you to discover if target is vulnerable to
'Cross Site Tracing' [CAPEC-107]:

--imx=IMX IMX - Create an image with XSS (--imx image.png)
--fla=FLASH FLA - Create a flash movie with XSS (--fla movie.swf)
--xst=XST XST - Cross Site Tracing (--xst http(s)://host.com)

*Select Target(s)*:
At least one of these options must to be specified to set the source
to get target(s) urls from:

--all=TARGET Automatically audit an entire target
-u URL, --url=URL Enter target to audit
-i READFILE Read target(s) urls from file
-d DORK Search target(s) using a query (ex: 'news.php?id=')
-l Search from a list of 'dorks'
--De=DORK_ENGINE Use this search engine (default: yahoo)
--Da Search massively using all search engines

*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use
as payload(s). Set 'XSS' as keyword on the place(s) that you want to
inject:

-g GETDATA Send payload using GET (ex: '/menu.php?id=XSS')
-p POSTDATA Send payload using POST (ex: 'foo=1&bar=XSS')
-c CRAWLING Number of urls to crawl on target(s): 1-99999
--Cw=CRAWLER_WIDTH Deeping level of crawler: 1-5 (default: 2)
--Cl Crawl only local target(s) urls (default: FALSE)

*Configure Request(s)*:
These options can be used to specify how to connect to the target(s)
payload(s). You can choose multiple:

--head Send a HEAD request before start a test
--cookie=COOKIE Change your HTTP Cookie header
--drop-cookie Ignore Set-Cookie header from response
--user-agent=AGENT Change your HTTP User-Agent header (default: SPOOFED)
--referer=REFERER Use another HTTP Referer header (default: NONE)
--xforw Set your HTTP X-Forwarded-For with random IP values
--xclient Set your HTTP X-Client-IP with random IP values
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (Basic, Digest, GSS or NTLM)
--auth-cred=ACRED HTTP Authentication credentials (name:password)
--check-tor Check to see if Tor is used properly
--proxy=PROXY Use proxy server (tor: http://localhost:8118)
--ignore-proxy Ignore system default HTTP proxy
--timeout=TIMEOUT Select your timeout (default: 30)
--retries=RETRIES Retries when connection timeout (default: 1)
--threads=THREADS Maximum number of concurrent requests (default: 5)
--delay=DELAY Delay in seconds between each request (default: 0)
--tcp-nodelay Use the TCP_NODELAY option
--follow-redirects Follow server redirection responses (302)
--follow-limit=FLI Set limit for redirection requests (default: 50)

*Checker Systems*:
These options are useful to know if your target is using filters
against XSS attacks:

--hash Send a hash to check if target is repeating content
--heuristic Discover parameters filtered by using heuristics
--discode=DISCODE Set code on reply to discard an injection
--checkaturl=ALT Check reply using: <alternative url> [aka BLIND-XSS]
--checkmethod=ALTM Check reply using: GET or POST (default: GET)
--checkatdata=ALD Check reply using: <alternative payload>
--reverse-check Establish a reverse connection from target to XSSer
--reverse-open Open a web browser when a reverse check is established

*Select Vector(s)*:
These options can be used to specify injection(s) code. Important if
you don't want to inject a common XSS vector used by default. Choose
only one option:

--payload=SCRIPT OWN - Inject your own code
--auto AUTO - Inject a list of vectors provided by XSSer

*Select Payload(s)*:
These options can be used to set the list of vectors provided by
XSSer. Choose only if required:

--auto-set=FZZ_NUM ASET - Limit of vectors to inject (default: 1293)
--auto-info AINFO - Select ONLY vectors with INFO (defaul: FALSE)
--auto-random ARAND - Set random to order (default: FALSE)

*Anti-antiXSS Firewall rules*:
These options can be used to try to bypass specific WAF/IDS products
and some anti-XSS browser filters. Choose only if required:

--Phpids0.6.5 PHPIDS (0.6.5) [ALL]
--Phpids0.7 PHPIDS (0.7) [ALL]
--Imperva Imperva Incapsula [ALL]
--Webknight WebKnight (4.1) [Chrome]
--F5bigip F5 Big IP [Chrome + FF + Opera]
--Barracuda Barracuda WAF [ALL]
--Modsec Mod-Security [ALL]
--Quickdefense QuickDefense [Chrome]
--Firefox Firefox 12 [& below]
--Chrome Chrome 19 & Firefox 12 [& below]
--Opera Opera 10.5 [& below]
--Iexplorer IExplorer 9 & Firefox 12 [& below]

*Select Bypasser(s)*:
These options can be used to encode vector(s) and try to bypass
possible anti-XSS filters. They can be combined with other techniques:

--Str Use method String.FromCharCode()
--Une Use Unescape() function
--Mix Mix String.FromCharCode() and Unescape()
--Dec Use Decimal encoding
--Hex Use Hexadecimal encoding
--Hes Use Hexadecimal encoding with semicolons
--Dwo Encode IP addresses with DWORD
--Doo Encode IP addresses with Octal
--Cem=CEM Set different 'Character Encoding Mutations'
(reversing obfuscators) (ex: 'Mix,Une,Str,Hex')

*Special Technique(s)*:
These options can be used to inject code using different XSS
techniques and fuzzing vectors. You can choose multiple:

--Coo COO - Cross Site Scripting Cookie injection
--Xsa XSA - Cross Site Agent Scripting
--Xsr XSR - Cross Site Referer Scripting
--Dcp DCP - Data Control Protocol injections
--Dom DOM - Document Object Model injections
--Ind IND - HTTP Response Splitting Induced code

*Select Final injection(s)*:
These options can be used to specify the final code to inject on
vulnerable target(s). Important if you want to exploit 'on-the-wild'
the vulnerabilities found. Choose only one option:

--Fp=FINALPAYLOAD OWN - Exploit your own code
--Fr=FINALREMOTE REMOTE - Exploit a script -remotely-

*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) on
vulnerable target(s). You can select multiple and combine them with
your final code (except with DCP exploits):

--Anchor ANC - Use 'Anchor Stealth' payloader (DOM shadows!)
--B64 B64 - Base64 code encoding in META tag (rfc2397)
--Onm ONM - Use onMouseMove() event
--Ifr IFR - Use <iframe> source tag
--Dos DOS - XSS (client) Denial of Service
--Doss DOSs - XSS (server) Denial of Service

*Reporting*:
--save Export to file (XSSreport.raw)
--xml=FILEXML Export to XML (--xml file.xml)

*Miscellaneous*:
--silent Inhibit console output results
--alive=ISALIVE Set limit of errors before check if target is alive
--update Check for latest stable version

=Contact=

'''Irc:'''

* irc.freenode.net - channel: ''#xsser''

'''Project Leader:'''

* [[User:Psy|'''psy''']] - [https://03c8.net '''03c8.net''']

File:Thehive1.png

2019-09-23T09:16:08Z

Psy:

XSSer v1.8.1

OWASP XSSER

2018-04-13T01:30:53Z

Psy: porject update

[[Category:OWASP Project]]
{{Social Media Links}} 

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''OWASP XSSer Project''' Web application vulnerability scanner / Security auditor
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''XSSer: "The Cross Site Scripting Framework"'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [[User:Psy|'''psy''']]
| style="width:14%; background:#cccccc" align="center"|Mailing List [https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']
| style="width:14%; background:#cccccc" align="center"|License [http://gplv3.fsf.org/ '''GNU GPLv3''']
| style="width:14%; background:#cccccc" align="center"|Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]
| style="width:15%; background:#cccccc" align="center"|Support [http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards'''] [http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Last Package'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Documentation'''
|-
| style="width:29%; background:#cccccc" align="center"|[https://xsser.03c8.net/xsser/xsser_1.7-2.tar.gz '''XSSer "ZiKA-47 Swarm!" (v1.7-2b)''']
| style="width:42%; background:#cccccc" align="center"|[https://xsser.03c8.net '''Official site'''] [https://github.com/epsylon/xsser '''Code Repository''']
| style="width:29%; background:#cccccc" align="center"| Paper(2009): 'XSS for fun and profit': [https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']
|}

=Current Version=
<table>
<tr>
<td>[[Image:Xsser-zika-banner.png]] 
XSSer v1.7-2b ("The Mosquito: ZiKA-47 Swarm") 

<ul>
<li>Download (.tar.gz) source code: [https://xsser.03c8.net/xsser/xsser_1.7-2.tar.gz '''XSSer_v1.7-2.tar.gz''']</li>
<li>Download (.zip) source code: [https://xsser.03c8.net/xsser/xsser_1.7-2.zip '''XSSer_v1.7-2.zip''']</li>
<li>Or update your copy directly from the XSSer -Github- repository:</li>

$ git clone https://github.com/epsylon/xsser

</ul>
This version include more features on the GTK+ interface: xsser --gtk
</td>
</tr>
<tr>
<td>
<table>
<tr>

<td>
[[Image:Xsser-zika-gui.png]] 
[[https://www.owasp.org/images/f/f7/Xsser-zika-gui.png '''+ Click for Zoom''']] 
</td>

<td>
[[Image:Xsser-zika-tor.png]] 
[[https://www.owasp.org/images/b/b1/Xsser-zika-tor.png '''+ Click for Zoom''']] 
</td>
</tr>

<tr>
<td>
[[Image:Xsser-zika-map.png]] 
[[https://www.owasp.org/images/7/74/Xsser-zika-map.png '''+ Click for Zoom''']] 
</td>

<td>
[[Image:Xsser-zika-spidering.png]] 
[[https://www.owasp.org/images/3/38/Xsser-zika-spidering.png '''+ Click for Zoom''']] 
</td>

</tr>
</table>
</td>
</tr>
</table>
= How it works=
 
[[Image:Xsser-url-schema.png]] 
[[https://www.owasp.org/images/f/f9/Xsser-url-schema.png '''+ Click for Zoom''']] 
 
=Installation=

XSSer runs on many platforms. It requires Python and the following libraries: 

- python-pycurl - Python bindings to libcurl 
- python-xmlbuilder - create xml/(x)html files - Python 2.x 
- python-beautifulsoup - error-tolerant HTML parser for Python 
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library 

On Debian-based systems (ex: Ubuntu), run: 

$ sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip 


=Options=

xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]
[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous} 

--version show program's version number and exit
-h, --help show this help message and exit
-s, --statistics show advanced statistics output results
-v, --verbose active verbose mode output results
--gtk launch XSSer GTK Interface
--wizard start Wizard Helper!

*Special Features*:
You can set Vector(s) and Bypasser(s) to build complex scripts for XSS
code embedded. XST allows you to discover if target is vulnerable to
'Cross Site Tracing' [CAPEC-107]:

--imx=IMX IMX - Create an image with XSS (--imx image.png)
--fla=FLASH FLA - Create a flash movie with XSS (--fla movie.swf)
--xst=XST XST - Cross Site Tracing (--xst http(s)://host.com)

*Select Target(s)*:
At least one of these options must to be specified to set the source
to get target(s) urls from:

--all=TARGET Automatically audit an entire target
-u URL, --url=URL Enter target to audit
-i READFILE Read target(s) urls from file
-d DORK Search target(s) using a query (ex: 'news.php?id=')
-l Search from a list of 'dorks'
--De=DORK_ENGINE Use this search engine (default: yahoo)
--Da Search massively using all search engines

*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use
as payload(s) to inject:

-g GETDATA Send payload using GET (ex: '/menu.php?q=')
-p POSTDATA Send payload using POST (ex: 'foo=1&bar=')
-c CRAWLING Number of urls to crawl on target(s): 1-99999
--Cw=CRAWLER_WIDTH Deeping level of crawler: 1-5 (default 3)
--Cl Crawl only local target(s) urls (default TRUE)

*Configure Request(s)*:
These options can be used to specify how to connect to the target(s)
payload(s). You can choose multiple:

--cookie=COOKIE Change your HTTP Cookie header
--drop-cookie Ignore Set-Cookie header from response
--user-agent=AGENT Change your HTTP User-Agent header (default SPOOFED)
--referer=REFERER Use another HTTP Referer header (default NONE)
--xforw Set your HTTP X-Forwarded-For with random IP values
--xclient Set your HTTP X-Client-IP with random IP values
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (Basic, Digest, GSS or NTLM)
--auth-cred=ACRED HTTP Authentication credentials (name:password)
--proxy=PROXY Use proxy server (tor: http://localhost:8118)
--ignore-proxy Ignore system default HTTP proxy
--timeout=TIMEOUT Select your timeout (default 30)
--retries=RETRIES Retries when the connection timeouts (default 1)
--threads=THREADS Maximum number of concurrent HTTP requests (default 5)
--delay=DELAY Delay in seconds between each HTTP request (default 0)
--tcp-nodelay Use the TCP_NODELAY option
--follow-redirects Follow server redirection responses (302)
--follow-limit=FLI Set limit for redirection requests (default 50)

*Checker Systems*:
These options are useful to know if your target is using filters
against XSS attacks:

--hash send a hash to check if target is repeating content
--heuristic discover parameters filtered by using heuristics
--discode=DISCODE set code on reply to discard an injection
--checkaturl=ALT check reply using: alternative url -> Blind XSS
--checkmethod=ALTM check reply using: GET or POST (default: GET)
--checkatdata=ALD check reply using: alternative payload
--reverse-check establish a reverse connection from target to XSSer to
certify that is 100% vulnerable (recommended!)

*Select Vector(s)*:
These options can be used to specify injection(s) code. Important if
you don't want to inject a common XSS vector used by default. Choose
only one option:

--payload=SCRIPT OWN - Inject your own code
--auto AUTO - Inject a list of vectors provided by XSSer

*Anti-antiXSS Firewall rules*:
These options can be used to try to bypass specific WAF/IDS products.
Choose only if required:

--Phpids0.6.5 PHPIDS (0.6.5) [ALL]
--Phpids0.7 PHPIDS (0.7) [ALL]
--Imperva Imperva Incapsula [ALL]
--Webknight WebKnight (4.1) [Chrome]
--F5bigip F5 Big IP [Chrome + FF + Opera]
--Barracuda Barracuda WAF [ALL]
--Modsec Mod-Security [ALL]
--Quickdefense QuickDefense [Chrome]

*Select Bypasser(s)*:
These options can be used to encode vector(s) and try to bypass
possible anti-XSS filters. They can be combined with other techniques:

--Str Use method String.FromCharCode()
--Une Use Unescape() function
--Mix Mix String.FromCharCode() and Unescape()
--Dec Use Decimal encoding
--Hex Use Hexadecimal encoding
--Hes Use Hexadecimal encoding with semicolons
--Dwo Encode IP addresses with DWORD
--Doo Encode IP addresses with Octal
--Cem=CEM Set different 'Character Encoding Mutations'
(reversing obfuscators) (ex: 'Mix,Une,Str,Hex')

*Special Technique(s)*:
These options can be used to inject code using different XSS
techniques. You can choose multiple:

--Coo COO - Cross Site Scripting Cookie injection
--Xsa XSA - Cross Site Agent Scripting
--Xsr XSR - Cross Site Referer Scripting
--Dcp DCP - Data Control Protocol injections
--Dom DOM - Document Object Model injections
--Ind IND - HTTP Response Splitting Induced code
--Anchor ANC - Use Anchor Stealth payloader (DOM shadows!)

*Select Final injection(s)*:
These options can be used to specify the final code to inject on
vulnerable target(s). Important if you want to exploit 'on-the-wild'
the vulnerabilities found. Choose only one option:

--Fp=FINALPAYLOAD OWN - Exploit your own code
--Fr=FINALREMOTE REMOTE - Exploit a script -remotely-
--Doss DOSs - XSS (server) Denial of Service
--Dos DOS - XSS (client) Denial of Service
--B64 B64 - Base64 code encoding in META tag (rfc2397)

*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) on
vulnerable target(s). You can select multiple and combine them with
your final code (except with DCP code):

--Onm ONM - Use onMouseMove() event
--Ifr IFR - Use <iframe> source tag

*Reporting*:
--save export to file (XSSreport.raw)
--xml=FILEXML export to XML (--xml file.xml)

*Miscellaneous*:
--silent inhibit console output results
--no-head NOT send a HEAD request before start a test
--alive=ISALIVE set limit of errors before check if target is alive
--update check for latest stable version

=Contact=

'''Irc:'''

* irc.freenode.net - channel: ''#xsser''

'''Project Leader:'''

* [[User:Psy|'''psy''']] - [https://03c8.net '''03c8.net''']

OWASP XSSER

2016-05-02T15:52:45Z

Psy:

[[Category:OWASP Project]]
{{Social Media Links}} 

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''OWASP XSSer Project''' Web application vulnerability scanner / Security auditor
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''XSSer: "The Cross Site Scripting Framework"'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [[User:Psy|'''psy''']]
| style="width:14%; background:#cccccc" align="center"|Mailing List [https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:owasp_xsser@lists.owasp.org '''Use''']
| style="width:14%; background:#cccccc" align="center"|License [http://gplv3.fsf.org/ '''GNU GPLv3''']
| style="width:14%; background:#cccccc" align="center"|Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]
| style="width:15%; background:#cccccc" align="center"|Support [http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards'''] [http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Last Package'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Documentation'''
|-
| style="width:29%; background:#cccccc" align="center"|[https://xsser.03c8.net/xsser/xsser_1.7-1.tar.gz '''"(v1.7-1b) "ZiKA-47 Swarm!"''']
| style="width:42%; background:#cccccc" align="center"|[https://xsser.03c8.net '''Official site'''] [http://sourceforge.net/projects/xsser/files/ '''Code Releases''']
| style="width:29%; background:#cccccc" align="center"| Paper(2009): 'XSS for fun and profit': [http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']
|}

=Current Version=
<table>
<tr>
<td>[[Image:Xsser-zika-banner.png]] 
XSSer v1.7-1b ("The Mosquito: ZiKA-47 Swarm") 

<ul>
<li>Download (.tar.gz) source code: [http://xsser.03c8.net/xsser/xsser_1.7-1.tar.gz '''XSSer_v1.7-1.tar.gz''']</li>
<li>Download (.zip) source code: [http://xsser.03c8.net/xsser/xsser_1.7-1.zip '''XSSer_v1.7-1.zip''']</li>
<li>Ubuntu/Debian package: [http://xsser.03c8.net/xsser/xsser_1.7-1_amd64.deb '''XSSer-1.7-1_all.deb''']</li>
<li>Or update your copy directly from the XSSer -Github- repository:</li>

$ git clone https://github.com/epsylon/xsser-public

</ul>
This version include more features on the GTK+ interface: xsser --gtk
</td>
</tr>
<tr>
<td>
<table>
<tr>

<td>
[[Image:Xsser-zika-gui.png]] 
[[https://www.owasp.org/images/f/f7/Xsser-zika-gui.png '''+ Click for Zoom''']] 
</td>

<td>
[[Image:Xsser-zika-tor.png]] 
[[https://www.owasp.org/images/b/b1/Xsser-zika-tor.png '''+ Click for Zoom''']] 
</td>
</tr>

<tr>
<td>
[[Image:Xsser-zika-map.png]] 
[[https://www.owasp.org/images/7/74/Xsser-zika-map.png '''+ Click for Zoom''']] 
</td>

<td>
[[Image:Xsser-zika-spidering.png]] 
[[https://www.owasp.org/images/3/38/Xsser-zika-spidering.png '''+ Click for Zoom''']] 
</td>

</tr>
</table>
</td>
</tr>
</table>
= How it works=
 
[[Image:Xsser-url-schema.png]] 
[[https://www.owasp.org/images/f/f9/Xsser-url-schema.png '''+ Click for Zoom''']] 
 
=Installation=

XSSer runs on many platforms. It requires Python and the following libraries: 

- python-pycurl - Python bindings to libcurl 
- python-xmlbuilder - create xml/(x)html files - Python 2.x 
- python-beautifulsoup - error-tolerant HTML parser for Python 
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library 

On Debian-based systems (ex: Ubuntu), run: 

$ sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip 


=Options=

xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]
[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous} 

--version show program's version number and exit
-h, --help show this help message and exit
-s, --statistics show advanced statistics output results
-v, --verbose active verbose mode output results
--gtk launch XSSer GTK Interface
--wizard start Wizard Helper!

*Special Features*:
You can set Vector(s) and Bypasser(s) to build complex scripts for XSS
code embedded. XST allows you to discover if target is vulnerable to
'Cross Site Tracing' [CAPEC-107]:

--imx=IMX IMX - Create an image with XSS (--imx image.png)
--fla=FLASH FLA - Create a flash movie with XSS (--fla movie.swf)
--xst=XST XST - Cross Site Tracing (--xst http(s)://host.com)

*Select Target(s)*:
At least one of these options must to be specified to set the source
to get target(s) urls from:

--all=TARGET Automatically audit an entire target
-u URL, --url=URL Enter target to audit
-i READFILE Read target(s) urls from file
-d DORK Search target(s) using a query (ex: 'news.php?id=')
-l Search from a list of 'dorks'
--De=DORK_ENGINE Use this search engine (default: duck)
--Da Search massively using all search engines

*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use
as payload(s) to inject:

-g GETDATA Send payload using GET (ex: '/menu.php?q=')
-p POSTDATA Send payload using POST (ex: 'foo=1&bar=')
-c CRAWLING Number of urls to crawl on target(s): 1-99999
--Cw=CRAWLER_WIDTH Deeping level of crawler: 1-5 (default 3)
--Cl Crawl only local target(s) urls (default TRUE)

*Configure Request(s)*:
These options can be used to specify how to connect to the target(s)
payload(s). You can choose multiple:

--cookie=COOKIE Change your HTTP Cookie header
--drop-cookie Ignore Set-Cookie header from response
--user-agent=AGENT Change your HTTP User-Agent header (default SPOOFED)
--referer=REFERER Use another HTTP Referer header (default NONE)
--xforw Set your HTTP X-Forwarded-For with random IP values
--xclient Set your HTTP X-Client-IP with random IP values
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (Basic, Digest, GSS or NTLM)
--auth-cred=ACRED HTTP Authentication credentials (name:password)
--proxy=PROXY Use proxy server (tor: http://localhost:8118)
--ignore-proxy Ignore system default HTTP proxy
--timeout=TIMEOUT Select your timeout (default 30)
--retries=RETRIES Retries when the connection timeouts (default 1)
--threads=THREADS Maximum number of concurrent HTTP requests (default 5)
--delay=DELAY Delay in seconds between each HTTP request (default 0)
--tcp-nodelay Use the TCP_NODELAY option
--follow-redirects Follow server redirection responses (302)
--follow-limit=FLI Set limit for redirection requests (default 50)

*Checker Systems*:
These options are useful to know if your target is using filters
against XSS attacks:

--hash send a hash to check if target is repeating content
--heuristic discover parameters filtered by using heuristics
--discode=DISCODE set code on reply to discard an injection
--checkaturl=ALT check reply using: alternative url -> Blind XSS
--checkmethod=ALTM check reply using: GET or POST (default: GET)
--checkatdata=ALD check reply using: alternative payload
--reverse-check establish a reverse connection from target to XSSer to
certify that is 100% vulnerable (recommended!)

*Select Vector(s)*:
These options can be used to specify injection(s) code. Important if
you don't want to inject a common XSS vector used by default. Choose
only one option:

--payload=SCRIPT OWN - Inject your own code
--auto AUTO - Inject a list of vectors provided by XSSer

*Anti-antiXSS Firewall rules*:
These options can be used to try to bypass specific WAF/IDS products.
Choose only if required:

--Phpids0.6.5 PHPIDS (0.6.5) [ALL]
--Phpids0.7 PHPIDS (0.7) [ALL]
--Imperva Imperva Incapsula [ALL]
--Webknight WebKnight (4.1) [Chrome]
--F5bigip F5 Big IP [Chrome + FF + Opera]
--Barracuda Barracuda WAF [ALL]
--Modsec Mod-Security [ALL]
--Quickdefense QuickDefense [Chrome]

*Select Bypasser(s)*:
These options can be used to encode vector(s) and try to bypass
possible anti-XSS filters. They can be combined with other techniques:

--Str Use method String.FromCharCode()
--Une Use Unescape() function
--Mix Mix String.FromCharCode() and Unescape()
--Dec Use Decimal encoding
--Hex Use Hexadecimal encoding
--Hes Use Hexadecimal encoding with semicolons
--Dwo Encode IP addresses with DWORD
--Doo Encode IP addresses with Octal
--Cem=CEM Set different 'Character Encoding Mutations'
(reversing obfuscators) (ex: 'Mix,Une,Str,Hex')

*Special Technique(s)*:
These options can be used to inject code using different XSS
techniques. You can choose multiple:

--Coo COO - Cross Site Scripting Cookie injection
--Xsa XSA - Cross Site Agent Scripting
--Xsr XSR - Cross Site Referer Scripting
--Dcp DCP - Data Control Protocol injections
--Dom DOM - Document Object Model injections
--Ind IND - HTTP Response Splitting Induced code
--Anchor ANC - Use Anchor Stealth payloader (DOM shadows!)

*Select Final injection(s)*:
These options can be used to specify the final code to inject on
vulnerable target(s). Important if you want to exploit 'on-the-wild'
the vulnerabilities found. Choose only one option:

--Fp=FINALPAYLOAD OWN - Exploit your own code
--Fr=FINALREMOTE REMOTE - Exploit a script -remotely-
--Doss DOSs - XSS (server) Denial of Service
--Dos DOS - XSS (client) Denial of Service
--B64 B64 - Base64 code encoding in META tag (rfc2397)

*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) on
vulnerable target(s). You can select multiple and combine them with
your final code (except with DCP code):

--Onm ONM - Use onMouseMove() event
--Ifr IFR - Use <iframe> source tag

*Reporting*:
--save export to file (XSSreport.raw)
--xml=FILEXML export to XML (--xml file.xml)

*Miscellaneous*:
--silent inhibit console output results
--no-head NOT send a HEAD request before start a test
--alive=ISALIVE set limit of errors before check if target is alive
--update check for latest stable version

=Contact=

'''Irc:'''

* irc.freenode.net - channel: ''#xsser''

'''Project Leader:'''

* [[User:Psy|'''psy''']] - [https://03c8.net '''03c8.net''']

File:Xsser-url-schema.png

2016-05-02T15:34:06Z

Psy:

File:Xsser-zika-spidering.png

2016-05-02T15:25:53Z

Psy:

File:Xsser-zika-map.png

2016-05-02T15:24:54Z

Psy:

File:Xsser-zika-tor.png

2016-05-02T15:23:29Z

Psy:

File:Xsser-zika-gui.png

2016-05-02T15:21:32Z

Psy:

File:Xsser-zika-banner.png

2016-05-02T15:09:54Z

Psy: