4.5 Identifying & Exploiting XSS with XSSer
Last updated
Last updated
Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
It provides several options to try to bypass certain filters and various special techniques for code injection.
XSSer has pre-installed [ > 1300 XSS ] attacking vectors and can bypass-exploit code on several browsers/WAFs:
XSS Reflected - DNS Lookup -> https://localhost/mutillidae/index.php?page=dns-lookup.php
Trying to insert and execute a standard payload: <script>alert("XSS")</script> I can't write all text for shorter input lenght, in addition i receive this error only writing <script> tag:
Then, capturing the request using Burp Suite we can prepare a payload to give to xsser
The type of command that we need is this: xsser --url "<http://website.com" -p "payload (request that we want to test, changing the target_host value with XSS instead of example)"
There's a XSSer GUI mode that facilitate the utilize, activable with flag --gtk
xsser --gtk