This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP XSSER

From OWASP
Revision as of 09:08, 30 August 2012 by Epsylon (talk | contribs)

Jump to: navigation, search




OWASP XSSer Project
Web application vulnerability scanner / Security auditor
Project Name XSSer: The Cross Site Scripting Framework
Short Project Description

Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.

Key Project Information Project Leader
psy
Roadmap
Next Version
Mailing List
Subscribe - Use
License
GNU GPLv3
Project Type
Pentesting tool
Support
NLNet Awards
OWASP tool
Release Status Main Links Related Documentation
v1.6b - "Grey Swarm" SF Website
Code Releases
Paper: 'XSS for fun and profit':
English - Spanish

Current Version

XSSer v1.6b ("The Mosquito: Grey Swarm!")

Xsser-greyswarm sm.png
[+ Click for Zoom]

This version include more features on the GTK+ interface:

Xsser-greyswarm-donate sm.png
[+ Click for Zoom]

Xsser-greyswarm-map sm.png
[+ Click for Zoom]

Xsser-greyswarm-check sm.png
[+ Click for Zoom]

Xsser-greyswarm-conn sm.png
[+ Click for Zoom]

TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu Xssericon 32x32.png

Installation

XSSer runs on many platforms. It requires Python and the following libraries:

- python-pycurl - Python bindings to libcurl
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-libxml2 - Python bindings for the GNOME XML library
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library

On Debian-based systems (ex: Ubuntu), run:

sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip

How to Use

xsser [OPTIONS] [-u |-i |-d ] [-g |-p |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]

 Usage 
Examples
Documentation
Screenshots
Videos

Changelog

November, 28, 2011:

Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.

GTK: Added New features to GTK controller + Added Detailed views to GTK interface.

February, 25, 2011:

Added package for Archlinux.

February, 24, 2011:

Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.

GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.

November, 13, 2010:

XSSer package for Archlinux can be found in the AUR.

November, 11, 2010:

Created XSSer package (v1.0) for Ubuntu/Debian based systems.

November, 9, 2010:

Added more advanced statistics results + Bugfixig.

November, 7, 2010:

Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.

October, 8, 2010:

POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer

./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --tweet

Results of the -botnet- attack in real time:

- http://identi.ca/xsserbot01
- http://twitter.com/xsserbot01

Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).

September 22, 2010:

Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.

http://identi.ca/xsserbot01
http://twitter.com/xsserbot01

August 20, 2010:

Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).

July 1, 2010:

Dorking + Crawling + IP DWORD + Core clean.

April 19, 2010:

HTTPS implemented + patched bugs.

March 22, 2010:

Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.

March 18, 2010:

Added attack payloads to auto-payloader (62 different XSS injections).

March 16, 2010:

Added new payload encoders to bypass filters.

Roadmap

Download roadmap planning: Next Version

Contact

Irc:

   * irc.freenode.net - channel: #xsser

Mailing lists:

   * Owasp: Subscribe Write
   * Sourceforge: Subscribe Write

Project Leader:

 GPG ID: 0xB8AC3776
   * Website:
         o http://lordepsylon.net
   * Email:
         o psy
         o epsylon
   * Microblogging:
         o identi.ca
         o twitter.com