Results 1 to 3 of 3

Thread: Detecting and exploiting XSS injections using XSSer Tool Share/Save - My123World.Com!

  1. #1

    Detecting and exploiting XSS injections using XSSer Tool

    what is XSSer


    XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.
    we will test this tool on the http://testasp.vulnweb.com/ vulnerable site.
    how to use this too

    1. root@punter:/pentest/web# $ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser
    2. root@punter:/pentest/web# cd xsser
    3. root@punter:/pentest/web/xsser# python XSSer.py -u “http://testasp.vulnweb.com” -g “Search.asp?tfSearch=” –proxy “http://127.0.0.1:8118″ –referer “666.666.666.666″ –user-agent “correct audit” –Fuzz -s
    4. below are the results









    see the above results which is marked with blue and the attack URl we will test the results manually to confirm the XSS vulnerability chk the below screenshot.



    This Tool Works Perfectly finding XSS using the Automation Process

    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    Hire a Hacker by the Night and Hire a Chief Security Officer (CSO) by the Day.

  2. #2
    Security Researcher
    Join Date
    Oct 2010
    Location
    Bangalore
    Posts
    14

    Unhappy Issues with XSSer

    Hey punter! That was a nice step-by-step guide to using XSSer.py but, mate, I have an issue with it when I want to scan for pages that require authentication specifically form-based authentication. I'm scanning DVWA 1.0.7. I can see that XSSer doesn't support form-based authentication as in the 1.0b version. So I used a valid session cookie and used it with it, in the case of DVWA it was like:

    Code:
    ./XSSer.py -u "http://192.168.199.2/dvwa/vulnerabilities/xss_r" -g "index.php?name=" --cookie="security=low; PHPSESSID=2f08bf0977db86e2be483822fa721f74" --Fuzz --threads=10 --delay=4 -v -s
    ===========================================================================
    
     XSSer v1.0b - (Copyright - GPL3.0) - 2010 by psy
    
    ===========================================================================
    Testing [XSS from URL] injections...good luck ;)
    ===========================================================================
    
    [-]Verbose: ON
    [-]Cookie: security=low; PHPSESSID=2f08bf0977db86e2be483822fa721f74
    [-]HTTP User Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
    [-]HTTP Referer: None
    [-]Extra HTTP Headers: None
    [-]Authentication Type: None
    [-]Authentication Credentials: None
    [-]Proxy: None
    [-]Timeout: 30
    [-]Delaying: 4 seconds
    [-]Threads: 10
    [-]Retries: 3
    But I had no luck with it. I couldn't figure out the issue, later when I used wireshark I found that the HTTP requests did not have the cookie header at all. What to do now? Anybody have faced similar issue?

  3. #3
    There may be we are missing some parameter ,let me download the DVWA and check,ur correct XSSer.py doesnt support form-based authentication it has basic and digest support

    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    Hire a Hacker by the Night and Hire a Chief Security Officer (CSO) by the Day.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •