This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP XSSER"

From OWASP
Jump to: navigation, search
(porject update)
(updated content to new release published)
Line 4: Line 4:
 
----
 
----
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
  ! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor   
+
  ! colspan="8" style="background:#4058A0; color:white" align="center" |<font color="white">'''OWASP XSSer Project'''<br>Web application vulnerability scanner / Security auditor   
 
  |-
 
  |-
  | style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
+
  | style="width:15%; background:#7B8ABD" align="center" |'''Project Name'''
  | colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''XSSer: "The Cross Site Scripting Framework"'''  
+
  | colspan="7" style="width:85%; background:#cccccc" align="left" |<font color="black">'''XSSer: "The Cross Site Scripting Framework"'''  
 
  |-
 
  |-
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
+
  | style="width:15%; background:#7B8ABD" align="center" | '''Short Project Description'''  
  | colspan="7" style="width:85%; background:#cccccc" align="left"|
+
  | colspan="7" style="width:85%; background:#cccccc" align="left" |
 
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.  
 
Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.  
 
  |-
 
  |-
  | style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
+
  | style="width:15%; background:#7B8ABD" align="center" |'''Key Project Information'''
  | style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Psy|'''psy''']]
+
  | style="width:14%; background:#cccccc" align="center" |Project Leader<br>[[User:Psy|'''psy''']]
  | style="width:14%; background:#cccccc" align="center"|Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:[email protected] '''Use''']
+
  | style="width:14%; background:#cccccc" align="center" |Mailing List<br>[https://lists.owasp.org/mailman/listinfo/owasp_xsser '''Subscribe'''] - [mailto:[email protected] '''Use''']
  | style="width:14%; background:#cccccc" align="center"|License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']
+
  | style="width:14%; background:#cccccc" align="center" |License<br>[http://gplv3.fsf.org/ '''GNU GPLv3''']
  | style="width:14%; background:#cccccc" align="center"|Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]
+
  | style="width:14%; background:#cccccc" align="center" |Project Type<br>[[:Category:OWASP_Project#Alpha_Status_Projects|'''Pentesting tool''']]
  | style="width:15%; background:#cccccc" align="center"|Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']
+
  | style="width:15%; background:#cccccc" align="center" |Support<br>[http://www.nlnet.nl/news/2010/20100623-awards.html '''NLNet Awards''']<br>[http://en.wikipedia.org/wiki/OWASP '''OWASP tool''']
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"  
 
{| style="width:100%" border="0" align="center"  
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Last Package'''  
+
  ! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Last Package'''  
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Main Links'''
+
  ! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Main Links'''
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Documentation'''  
+
  ! style="background:#7B8ABD; color:white" align="center" |<font color="black">'''Related Documentation'''  
 
  |-
 
  |-
  | style="width:29%; background:#cccccc" align="center"|[https://xsser.03c8.net/xsser/xsser_1.7-2.tar.gz '''XSSer "ZiKA-47 Swarm!" (v1.7-2b)''']
+
  | style="width:29%; background:#cccccc" align="center" |[https://xsser.03c8.net/xsser/xsser_1.8-1.tar.gz '''XSSer "The Hive!" (v1.8-1)''']
  | style="width:42%; background:#cccccc" align="center"|[https://xsser.03c8.net '''Official site'''] <br> [https://github.com/epsylon/xsser '''Code Repository''']
+
  | style="width:42%; background:#cccccc" align="center" |[https://xsser.03c8.net '''Official site'''] <br> [https://github.com/epsylon/xsser '''Code Repository''']
  | style="width:29%; background:#cccccc" align="center"| Paper(2009): 'XSS for fun and profit':<br>[https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']
+
  | style="width:29%; background:#cccccc" align="center" | Paper(2009): 'XSS for fun and profit':<br>[https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(english).pdf '''English'''] - [https://xsser.03c8.net/xsser/XSS_for_fun_and_profit_SCG09_(spanish).pdf '''Spanish''']
 
  |}
 
  |}
  
Line 33: Line 33:
 
<table>
 
<table>
 
<tr>
 
<tr>
<td>[[Image:Xsser-zika-banner.png]]<br>
+
<td>
XSSer v1.7-2b ("The Mosquito: <u>ZiKA-47 Swarm</u>")<br>
+
[[File:Thehive1.png|thumb|TheHive]]<br>
 +
XSSer v1.8-1 ("<u>The Hive!</u>")<br>
  
 
<ul>
 
<ul>
<li>Download (.tar.gz) source code: [https://xsser.03c8.net/xsser/xsser_1.7-2.tar.gz '''XSSer_v1.7-2.tar.gz''']</li>
+
<li>Download (.tar.gz) source code: [https://xsser.03c8.net/xsser/xsser_1.8-1.tar.gz '''XSSer_v1.8-1.tar.gz''']</li>
<li>Download (.zip) source code: [https://xsser.03c8.net/xsser/xsser_1.7-2.zip '''XSSer_v1.7-2.zip''']</li>
+
<li>Download (.zip) source code: [https://xsser.03c8.net/xsser/xsser_1.8-1.zip '''XSSer_v1.8-1.zip''']</li>
 
<li>Or update your copy directly from the XSSer -Github- repository:</li>
 
<li>Or update your copy directly from the XSSer -Github- repository:</li>
  
Line 88: Line 89:
 
XSSer runs on many platforms.  It requires Python and the following libraries:<br><br>
 
XSSer runs on many platforms.  It requires Python and the following libraries:<br><br>
  
    - python-pycurl - Python bindings to libcurl<br>
+
  - python-pycurl - Python bindings to libcurl<br>
    - python-xmlbuilder - create xml/(x)html files - Python 2.x<br>
+
  - python-xmlbuilder - create xml/(x)html files - Python 2.x<br>
    - python-beautifulsoup - error-tolerant HTML parser for Python<br>
+
  - python-beautifulsoup - error-tolerant HTML parser for Python<br>
    - python-geoip - Python bindings for the GeoIP IP-to-country resolver library<br><br>
+
  - python-geoip - Python bindings for the GeoIP IP-to-country resolver library<br><br>
  
 
On Debian-based systems (ex: Ubuntu), run: <br><br>
 
On Debian-based systems (ex: Ubuntu), run: <br><br>
Line 99: Line 100:
  
 
=Options=
 
=Options=
 +
 +
Usage:
  
 
xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]
 
xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)]
[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}<br>
+
[Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}
  
 +
Cross Site "Scripter" is an automatic -framework- to detect, exploit and
 +
report XSS vulnerabilities in web-based applications.
 +
 +
Options:
 
   --version            show program's version number and exit
 
   --version            show program's version number and exit
 
   -h, --help            show this help message and exit
 
   -h, --help            show this help message and exit
Line 133: Line 140:
 
   *Select type of HTTP/HTTPS Connection(s)*:
 
   *Select type of HTTP/HTTPS Connection(s)*:
 
     These options can be used to specify which parameter(s) we want to use
 
     These options can be used to specify which parameter(s) we want to use
     as payload(s) to inject:
+
     as payload(s). Set 'XSS' as keyword on the place(s) that you want to
 +
    inject:
  
     -g GETDATA          Send payload using GET (ex: '/menu.php?q=')
+
     -g GETDATA          Send payload using GET (ex: '/menu.php?id=XSS')
     -p POSTDATA        Send payload using POST (ex: 'foo=1&bar=')
+
     -p POSTDATA        Send payload using POST (ex: 'foo=1&bar=XSS')
 
     -c CRAWLING        Number of urls to crawl on target(s): 1-99999
 
     -c CRAWLING        Number of urls to crawl on target(s): 1-99999
     --Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5 (default 3)
+
     --Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5 (default: 2)
     --Cl                Crawl only local target(s) urls (default TRUE)
+
     --Cl                Crawl only local target(s) urls (default: FALSE)
  
 
   *Configure Request(s)*:
 
   *Configure Request(s)*:
Line 145: Line 153:
 
     payload(s). You can choose multiple:
 
     payload(s). You can choose multiple:
  
 +
    --head              Send a HEAD request before start a test
 
     --cookie=COOKIE    Change your HTTP Cookie header
 
     --cookie=COOKIE    Change your HTTP Cookie header
 
     --drop-cookie      Ignore Set-Cookie header from response
 
     --drop-cookie      Ignore Set-Cookie header from response
     --user-agent=AGENT  Change your HTTP User-Agent header (default SPOOFED)
+
     --user-agent=AGENT  Change your HTTP User-Agent header (default: SPOOFED)
     --referer=REFERER  Use another HTTP Referer header (default NONE)
+
     --referer=REFERER  Use another HTTP Referer header (default: NONE)
 
     --xforw            Set your HTTP X-Forwarded-For with random IP values
 
     --xforw            Set your HTTP X-Forwarded-For with random IP values
 
     --xclient          Set your HTTP X-Client-IP with random IP values
 
     --xclient          Set your HTTP X-Client-IP with random IP values
Line 154: Line 163:
 
     --auth-type=ATYPE  HTTP Authentication type (Basic, Digest, GSS or NTLM)
 
     --auth-type=ATYPE  HTTP Authentication type (Basic, Digest, GSS or NTLM)
 
     --auth-cred=ACRED  HTTP Authentication credentials (name:password)
 
     --auth-cred=ACRED  HTTP Authentication credentials (name:password)
 +
    --check-tor        Check to see if Tor is used properly
 
     --proxy=PROXY      Use proxy server (tor: http://localhost:8118)
 
     --proxy=PROXY      Use proxy server (tor: http://localhost:8118)
 
     --ignore-proxy      Ignore system default HTTP proxy
 
     --ignore-proxy      Ignore system default HTTP proxy
     --timeout=TIMEOUT  Select your timeout (default 30)
+
     --timeout=TIMEOUT  Select your timeout (default: 30)
     --retries=RETRIES  Retries when the connection timeouts (default 1)
+
     --retries=RETRIES  Retries when connection timeout (default: 1)
     --threads=THREADS  Maximum number of concurrent HTTP requests (default 5)
+
     --threads=THREADS  Maximum number of concurrent requests (default: 5)
     --delay=DELAY      Delay in seconds between each HTTP request (default 0)
+
     --delay=DELAY      Delay in seconds between each request (default: 0)
 
     --tcp-nodelay      Use the TCP_NODELAY option
 
     --tcp-nodelay      Use the TCP_NODELAY option
 
     --follow-redirects  Follow server redirection responses (302)
 
     --follow-redirects  Follow server redirection responses (302)
     --follow-limit=FLI  Set limit for redirection requests (default 50)
+
     --follow-limit=FLI  Set limit for redirection requests (default: 50)
  
 
   *Checker Systems*:
 
   *Checker Systems*:
Line 168: Line 178:
 
     against XSS attacks:
 
     against XSS attacks:
  
     --hash              send a hash to check if target is repeating content
+
     --hash              Send a hash to check if target is repeating content
     --heuristic        discover parameters filtered by using heuristics
+
     --heuristic        Discover parameters filtered by using heuristics
     --discode=DISCODE  set code on reply to discard an injection
+
     --discode=DISCODE  Set code on reply to discard an injection
     --checkaturl=ALT    check reply using: alternative url -> Blind XSS
+
     --checkaturl=ALT    Check reply using: <alternative url> [aka BLIND-XSS]
     --checkmethod=ALTM  check reply using: GET or POST (default: GET)
+
     --checkmethod=ALTM  Check reply using: GET or POST (default: GET)
     --checkatdata=ALD  check reply using: alternative payload
+
     --checkatdata=ALD  Check reply using: <alternative payload>
     --reverse-check    establish a reverse connection from target to XSSer to
+
     --reverse-check    Establish a reverse connection from target to XSSer
                        certify that is 100% vulnerable (recommended!)
+
    --reverse-open      Open a web browser when a reverse check is established
  
 
   *Select Vector(s)*:
 
   *Select Vector(s)*:
Line 182: Line 192:
 
     only one option:
 
     only one option:
  
     --payload=SCRIPT    OWN - Inject your own code
+
     --payload=SCRIPT    OWN   - Inject your own code
     --auto              AUTO - Inject a list of vectors provided by XSSer
+
     --auto              AUTO - Inject a list of vectors provided by XSSer
 +
 
 +
  *Select Payload(s)*:
 +
    These options can be used to set the list of vectors provided by
 +
    XSSer. Choose only if required:
 +
 
 +
    --auto-set=FZZ_NUM  ASET  - Limit of vectors to inject (default: 1293)
 +
    --auto-info        AINFO - Select ONLY vectors with INFO (defaul: FALSE)
 +
    --auto-random      ARAND - Set random to order (default: FALSE)
  
 
   *Anti-antiXSS Firewall rules*:
 
   *Anti-antiXSS Firewall rules*:
     These options can be used to try to bypass specific WAF/IDS products.
+
     These options can be used to try to bypass specific WAF/IDS products
     Choose only if required:
+
     and some anti-XSS browser filters. Choose only if required:
  
 
     --Phpids0.6.5      PHPIDS (0.6.5) [ALL]
 
     --Phpids0.6.5      PHPIDS (0.6.5) [ALL]
Line 197: Line 215:
 
     --Modsec            Mod-Security [ALL]
 
     --Modsec            Mod-Security [ALL]
 
     --Quickdefense      QuickDefense [Chrome]
 
     --Quickdefense      QuickDefense [Chrome]
 +
    --Firefox          Firefox 12 [& below]
 +
    --Chrome            Chrome 19 & Firefox 12 [& below]
 +
    --Opera            Opera 10.5 [& below]
 +
    --Iexplorer        IExplorer 9 & Firefox 12 [& below]
  
 
   *Select Bypasser(s)*:
 
   *Select Bypasser(s)*:
Line 215: Line 237:
 
   *Special Technique(s)*:
 
   *Special Technique(s)*:
 
     These options can be used to inject code using different XSS
 
     These options can be used to inject code using different XSS
     techniques. You can choose multiple:
+
     techniques and fuzzing vectors. You can choose multiple:
  
 
     --Coo              COO - Cross Site Scripting Cookie injection
 
     --Coo              COO - Cross Site Scripting Cookie injection
Line 223: Line 245:
 
     --Dom              DOM - Document Object Model injections
 
     --Dom              DOM - Document Object Model injections
 
     --Ind              IND - HTTP Response Splitting Induced code
 
     --Ind              IND - HTTP Response Splitting Induced code
    --Anchor            ANC - Use Anchor Stealth payloader (DOM shadows!)
 
  
 
   *Select Final injection(s)*:
 
   *Select Final injection(s)*:
Line 232: Line 253:
 
     --Fp=FINALPAYLOAD  OWN    - Exploit your own code
 
     --Fp=FINALPAYLOAD  OWN    - Exploit your own code
 
     --Fr=FINALREMOTE    REMOTE - Exploit a script -remotely-
 
     --Fr=FINALREMOTE    REMOTE - Exploit a script -remotely-
    --Doss              DOSs  - XSS (server) Denial of Service
 
    --Dos              DOS    - XSS (client) Denial of Service
 
    --B64              B64    - Base64 code encoding in META tag (rfc2397)
 
  
 
   *Special Final injection(s)*:
 
   *Special Final injection(s)*:
 
     These options can be used to execute some 'special' injection(s) on
 
     These options can be used to execute some 'special' injection(s) on
 
     vulnerable target(s). You can select multiple and combine them with
 
     vulnerable target(s). You can select multiple and combine them with
     your final code (except with DCP code):
+
     your final code (except with DCP exploits):
  
     --Onm              ONM - Use onMouseMove() event
+
    --Anchor            ANC  - Use 'Anchor Stealth' payloader (DOM shadows!)
     --Ifr              IFR - Use <iframe> source tag
+
    --B64              B64  - Base64 code encoding in META tag (rfc2397)
 +
     --Onm              ONM - Use onMouseMove() event
 +
     --Ifr              IFR - Use <iframe> source tag
 +
    --Dos              DOS  - XSS (client) Denial of Service
 +
    --Doss              DOSs - XSS (server) Denial of Service
  
 
   *Reporting*:
 
   *Reporting*:
     --save              export to file (XSSreport.raw)
+
     --save              Export to file (XSSreport.raw)
     --xml=FILEXML      export to XML (--xml file.xml)
+
     --xml=FILEXML      Export to XML (--xml file.xml)
  
 
   *Miscellaneous*:
 
   *Miscellaneous*:
     --silent            inhibit console output results
+
     --silent            Inhibit console output results
    --no-head          NOT send a HEAD request before start a test
+
     --alive=ISALIVE    Set limit of errors before check if target is alive
     --alive=ISALIVE    set limit of errors before check if target is alive
+
     --update            Check for latest stable version
     --update            check for latest stable version
 
  
 
=Contact=
 
=Contact=

Revision as of 09:19, 23 September 2019


Share this:  E-mail this story Bookmark with Facebook Share on Digg.com Share on delicious Share on reddit.com Share on stumbleupon.com Share on LinkedIn.com Share on twitter.com Seed on Newsvine


OWASP XSSer Project
Web application vulnerability scanner / Security auditor
Project Name XSSer: "The Cross Site Scripting Framework"
Short Project Description

Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.

Key Project Information Project Leader
psy 		Mailing List
Subscribe - Use 		License
GNU GPLv3 		Project Type
Pentesting tool 		Support
NLNet Awards
OWASP tool
Last Package Main Links Related Documentation
XSSer "The Hive!" (v1.8-1) Official site
Code Repository 		Paper(2009): 'XSS for fun and profit':
English - Spanish

Current Version

TheHive

XSSer v1.8-1 ("The Hive!")

This version include more features on the GTK+ interface: xsser --gtk

Xsser-zika-gui.png
[+ Click for Zoom]

Xsser-zika-tor.png
[+ Click for Zoom]

Xsser-zika-map.png
[+ Click for Zoom]

Xsser-zika-spidering.png
[+ Click for Zoom]

How it works


Xsser-url-schema.png
[+ Click for Zoom]

Installation

XSSer runs on many platforms. It requires Python and the following libraries:

- python-pycurl - Python bindings to libcurl
- python-xmlbuilder - create xml/(x)html files - Python 2.x
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library

On Debian-based systems (ex: Ubuntu), run:

$ sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip

Options

Usage:

xsser [OPTIONS] [--all <url> |-u <url> |-i <file> |-d <dork> (options)|-l ] [-g <get> |-p <post> |-c <crawl> (options)] [Request(s)] [Checker(s)] [Vector(s)] [Anti-antiXSS/IDS] [Bypasser(s)] [Technique(s)] [Final Injection(s)] [Reporting] {Miscellaneous}

Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.

Options: 

 --version             show program's version number and exit
 -h, --help            show this help message and exit
 -s, --statistics      show advanced statistics output results
 -v, --verbose         active verbose mode output results
 --gtk                 launch XSSer GTK Interface
 --wizard              start Wizard Helper!

 *Special Features*:
   You can set Vector(s) and Bypasser(s) to build complex scripts for XSS
   code embedded. XST allows you to discover if target is vulnerable to
   'Cross Site Tracing' [CAPEC-107]:

   --imx=IMX           IMX - Create an image with XSS (--imx image.png)
   --fla=FLASH         FLA - Create a flash movie with XSS (--fla movie.swf)
   --xst=XST           XST - Cross Site Tracing (--xst http(s)://host.com)

 *Select Target(s)*:
   At least one of these options must to be specified to set the source
   to get target(s) urls from:

   --all=TARGET        Automatically audit an entire target
   -u URL, --url=URL   Enter target to audit
   -i READFILE         Read target(s) urls from file
   -d DORK             Search target(s) using a query (ex: 'news.php?id=')
   -l                  Search from a list of 'dorks'
   --De=DORK_ENGINE    Use this search engine (default: yahoo)
   --Da                Search massively using all search engines

 *Select type of HTTP/HTTPS Connection(s)*:
   These options can be used to specify which parameter(s) we want to use
   as payload(s). Set 'XSS' as keyword on the place(s) that you want to
   inject:

   -g GETDATA          Send payload using GET (ex: '/menu.php?id=XSS')
   -p POSTDATA         Send payload using POST (ex: 'foo=1&bar=XSS')
   -c CRAWLING         Number of urls to crawl on target(s): 1-99999
   --Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5 (default: 2)
   --Cl                Crawl only local target(s) urls (default: FALSE)

 *Configure Request(s)*:
   These options can be used to specify how to connect to the target(s)
   payload(s). You can choose multiple:

   --head              Send a HEAD request before start a test
   --cookie=COOKIE     Change your HTTP Cookie header
   --drop-cookie       Ignore Set-Cookie header from response
   --user-agent=AGENT  Change your HTTP User-Agent header (default: SPOOFED)
   --referer=REFERER   Use another HTTP Referer header (default: NONE)
   --xforw             Set your HTTP X-Forwarded-For with random IP values
   --xclient           Set your HTTP X-Client-IP with random IP values
   --headers=HEADERS   Extra HTTP headers newline separated
   --auth-type=ATYPE   HTTP Authentication type (Basic, Digest, GSS or NTLM)
   --auth-cred=ACRED   HTTP Authentication credentials (name:password)
   --check-tor         Check to see if Tor is used properly
   --proxy=PROXY       Use proxy server (tor: http://localhost:8118)
   --ignore-proxy      Ignore system default HTTP proxy
   --timeout=TIMEOUT   Select your timeout (default: 30)
   --retries=RETRIES   Retries when connection timeout (default: 1)
   --threads=THREADS   Maximum number of concurrent requests (default: 5)
   --delay=DELAY       Delay in seconds between each request (default: 0)
   --tcp-nodelay       Use the TCP_NODELAY option
   --follow-redirects  Follow server redirection responses (302)
   --follow-limit=FLI  Set limit for redirection requests (default: 50)

 *Checker Systems*:
   These options are useful to know if your target is using filters
   against XSS attacks:

   --hash              Send a hash to check if target is repeating content
   --heuristic         Discover parameters filtered by using heuristics
   --discode=DISCODE   Set code on reply to discard an injection
   --checkaturl=ALT    Check reply using: <alternative url> [aka BLIND-XSS]
   --checkmethod=ALTM  Check reply using: GET or POST (default: GET)
   --checkatdata=ALD   Check reply using: <alternative payload>
   --reverse-check     Establish a reverse connection from target to XSSer
   --reverse-open      Open a web browser when a reverse check is established

 *Select Vector(s)*:
   These options can be used to specify injection(s) code. Important if
   you don't want to inject a common XSS vector used by default. Choose
   only one option:

   --payload=SCRIPT    OWN   - Inject your own code
   --auto              AUTO  - Inject a list of vectors provided by XSSer

 *Select Payload(s)*:
   These options can be used to set the list of vectors provided by
   XSSer. Choose only if required:

   --auto-set=FZZ_NUM  ASET  - Limit of vectors to inject (default: 1293)
   --auto-info         AINFO - Select ONLY vectors with INFO (defaul: FALSE)
   --auto-random       ARAND - Set random to order (default: FALSE)

 *Anti-antiXSS Firewall rules*:
   These options can be used to try to bypass specific WAF/IDS products
   and some anti-XSS browser filters. Choose only if required:

   --Phpids0.6.5       PHPIDS (0.6.5) [ALL]
   --Phpids0.7         PHPIDS (0.7) [ALL]
   --Imperva           Imperva Incapsula [ALL]
   --Webknight         WebKnight (4.1) [Chrome]
   --F5bigip           F5 Big IP [Chrome + FF + Opera]
   --Barracuda         Barracuda WAF [ALL]
   --Modsec            Mod-Security [ALL]
   --Quickdefense      QuickDefense [Chrome]
   --Firefox           Firefox 12 [& below]
   --Chrome            Chrome 19 & Firefox 12 [& below]
   --Opera             Opera 10.5 [& below]
   --Iexplorer         IExplorer 9 & Firefox 12 [& below]

 *Select Bypasser(s)*:
   These options can be used to encode vector(s) and try to bypass
   possible anti-XSS filters. They can be combined with other techniques:

   --Str               Use method String.FromCharCode()
   --Une               Use Unescape() function
   --Mix               Mix String.FromCharCode() and Unescape()
   --Dec               Use Decimal encoding
   --Hex               Use Hexadecimal encoding
   --Hes               Use Hexadecimal encoding with semicolons
   --Dwo               Encode IP addresses with DWORD
   --Doo               Encode IP addresses with Octal
   --Cem=CEM           Set different 'Character Encoding Mutations'
                       (reversing obfuscators) (ex: 'Mix,Une,Str,Hex')

 *Special Technique(s)*:
   These options can be used to inject code using different XSS
   techniques and fuzzing vectors. You can choose multiple:

   --Coo               COO - Cross Site Scripting Cookie injection
   --Xsa               XSA - Cross Site Agent Scripting
   --Xsr               XSR - Cross Site Referer Scripting
   --Dcp               DCP - Data Control Protocol injections
   --Dom               DOM - Document Object Model injections
   --Ind               IND - HTTP Response Splitting Induced code

 *Select Final injection(s)*:
   These options can be used to specify the final code to inject on
   vulnerable target(s). Important if you want to exploit 'on-the-wild'
   the vulnerabilities found. Choose only one option:

   --Fp=FINALPAYLOAD   OWN    - Exploit your own code
   --Fr=FINALREMOTE    REMOTE - Exploit a script -remotely-

 *Special Final injection(s)*:
   These options can be used to execute some 'special' injection(s) on
   vulnerable target(s). You can select multiple and combine them with
   your final code (except with DCP exploits):

   --Anchor            ANC  - Use 'Anchor Stealth' payloader (DOM shadows!)
   --B64               B64  - Base64 code encoding in META tag (rfc2397)
   --Onm               ONM  - Use onMouseMove() event
   --Ifr               IFR  - Use <iframe> source tag
   --Dos               DOS  - XSS (client) Denial of Service
   --Doss              DOSs - XSS (server) Denial of Service

 *Reporting*:
   --save              Export to file (XSSreport.raw)
   --xml=FILEXML       Export to XML (--xml file.xml)

 *Miscellaneous*:
   --silent            Inhibit console output results
   --alive=ISALIVE     Set limit of errors before check if target is alive
   --update            Check for latest stable version

Contact

Irc: 

   * irc.freenode.net - channel: #xsser

Project Leader: 

   * psy - 03c8.net

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_XSSER&oldid=254862"