An attacker can insert untrusted JavaScript snippets without authorization into your program. The user who visits the target website then executes this JavaScript. Cross-site Scripter (aka XSSer) is an automated system for finding, leveraging and reporting web-based vulnerabilities in XSS. This provides several ways for trying to circumvent other filters and several different injection code techniques.
XSSer setup–XSS update
XSSer is operating on a number of platforms. Python and the following libraries are required: To install on Debian-based systems sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip
Usage
To list all the features XSSer Package “xsser -h” root@kali:~# xsser -h To launch a simple Injection attack root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker”
Injection from Dork, by selecting “google” as search engine:
root@kali:~# xsser –De “google” -d “search.php?q=” In this KaliLinux tutorial, a reverse link is formed to make multiple URL injections with automatic payload. xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –auto –reverse-check -s Simple URL Injection, using GET, injecting on Cookie and using DOM shadow xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” -g “/path?vuln=” –Coo –Dom –Fp=”vulnerablescript”
Parameter filtering with heuristics
root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –heuristic
To Launch GUI Interface
root@kali:~# xsser –gtk
Core characteristics
Both GET and POST injections. Includes different filters and bypass techniques. The command line and GUI can be used respectively. Will give detailed details about the attack.
XSS Standard Defenses
Which feedback do we have faith in? Does it stick to the patterns expected? Do not represent untrustworthy results. Even applicable for data in our database. Context (Java / attribute / HTML / CSS) encoding.
