OWASP XSSER

=GSoC 2013 Proposal=

OWASP XSSer Project Ideas

Students presentations, questions and more: Mailing list archive: GSoC13 thread

Proposals 'on stage':  http://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/mxprm/17001 http://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/badc0re/1 http://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/whenov/1 

=Current Version=

TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu

=Installation=

XSSer runs on many platforms. It requires Python and the following libraries:

- python-pycurl - Python bindings to libcurl

- python-beautifulsoup - error-tolerant HTML parser for Python - python-libxml2 - Python bindings for the GNOME XML library - python-geoip - Python bindings for the GeoIP IP-to-country resolver library

On Debian-based systems (ex: Ubuntu), run:

sudo apt-get install python-pycurl python-beautifulsoup python-libxml2 python-geoip

=How to Use=

xsser [OPTIONS] [-u |-i  |-d ] [-g  |-p  |-c ] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]

Usage Examples Documentation Screenshots Videos

=Changelog=

November, 28, 2011:

Core: Added Drop Cookie option + Added Random IP X-Forwarded-For option + Random X-Client-IP option + Added GSS and NTLM authentication methods + Added Ignore proxy option + Added TCP-NODELAY option + Added Follow redirects option + Added Follow redirects limiter parameter + Added Auto-HEAD precheck system + Added No-HEAD option + Added Isalive option + Added Check at url option (Blind XSS) + Added Reverse Check parameter + Added PHPIDS (v.0.6.5) exploit + Added More vectors to auto-payloading + Added HTML5 studied vectors + Fixed Different bugs on core + Fixed Curl handlerer options + Fixed Dorkerers system + Fixed Bugs on results propagation + Fixed POST requests.

GTK: Added New features to GTK controller + Added Detailed views to GTK interface.

February, 25, 2011:

Added package for Archlinux.

February, 24, 2011:

Core: Added GTK option + Heuristic test + HTTP Response Splitting (ak.a Induced attack!) + DoS (Server) injection + Final code (added DCP & DOM injections) + Update option + Code clean + Bugfixing + New options menu + More advanced statistics system + Updated dorkerers list.

GTK: Intuitive navigation + Wizard helper ("build your pentesting answering some questions") + Expert visor (with target(s) geolocation included + Documentation.

November, 13, 2010:

XSSer package for Archlinux can be found in the AUR.

November, 11, 2010:

Created XSSer package (v1.0) for Ubuntu/Debian based systems.

November, 9, 2010:

Added more advanced statistics results + Bugfixig.

November, 7, 2010:

Added "final remote injections" option + Cross Flash Attack! + Cross Frame Scripting + Data Control Protocol Injections + Base64 (rfc2397) PoC + OnMouseMove PoC + Browser launcher + Code clean + Bugfixing + New options menu + Pre-check system + Crawler spidering clones + More advanced statistics system + "Mana" output results.

October, 8, 2010:

POC: Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer

./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --tweet

Results of the -botnet- attack in real time:

- http://identi.ca/xsserbot01 - http://twitter.com/xsserbot01

Reported: apróx. 3.000 websites vulnerables (XSSer storm!!).

September 22, 2010:

Added a-xml exporter + ImageXSS + New dorker engines (total 10) + Core clean + Bugfixing + Social Networking XSS auto-publisher + Started -federated- XSS (full disclosure) pentesting botnet.

http://identi.ca/xsserbot01 http://twitter.com/xsserbot01

August 20, 2010:

Added attack payloads to auto-payloader (26 new injections) + POST + Statistics + URL Shorteners + IP Octal + Post-processing payloading + DOM Shadows! + Cookie injector + Browser DoS (Denegation of Service).

July 1, 2010:

Dorking + Crawling + IP DWORD + Core clean.

April 19, 2010:

HTTPS implemented + patched bugs.

March 22, 2010:

Added "inject your own payload" option. Can be used with all character encoding -bypassers- of XSSer.

March 18, 2010:

Added attack payloads to auto-payloader (62 different XSS injections).

March 16, 2010:

Added new payload encoders to bypass filters.

=Roadmap=

Download roadmap planning: Next Version

=Contact=

Irc:

* irc.freenode.net - channel: #xsser

Mailing lists:

* Owasp: Subscribe [mailto:owasp_xsser@lists.owasp.org Write]

* Sourceforge: Subscribe [mailto:xsser-users@lists.sourceforge.net Write]

Project Leader:

GPG ID: 0xB8AC3776

* Website: o http://lordepsylon.net

* Email: o [mailto:root@lordepsylon.net psy] o [mailto:epsylon@riseup,net epsylon]

* Microblogging: o identi.ca o twitter.com