xsser-users Mailing List for xsser (Page 3)
XSSer: Cross Site Scripter
Status: Beta
Brought to you by:
lordepsylon
You can subscribe to this list here.
2010 |
Jan
|
Feb
|
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(4) |
Aug
(2) |
Sep
(3) |
Oct
(6) |
Nov
(7) |
Dec
(2) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2011 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
(4) |
Nov
(1) |
Dec
|
2012 |
Jan
(3) |
Feb
(1) |
Mar
(5) |
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(2) |
2013 |
Jan
|
Feb
|
Mar
(1) |
Apr
(14) |
May
(5) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2014 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2016 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Kumar V, V. <Vas...@ke...> - 2010-11-17 05:00:51
|
Hi, First of all, I like to congratulate your efforts towards coming up with a Framework which would detect the XSS vulnerability in a web applications. I am more interested in finding how XSSer works with the appllications and also looking forward to try my hands-on on with this tool. But I could not identify any document related to XSSer over internet, the document which is available under your 'Documentation' section is in 'Spanish' version. It would be great if you share me any of the document describing the features of XSSer in English, which would immensely help in understanding the working of this tool. Looking forward to XSSer English Documentation. Thanks in advance!!! Warm Regards, V.Vasanth ______________________________________________________________________ Disclaimer: This email message and any attachments are for the sole use of the intended recipient(s) and may contain information that is confidential, legally privileged or otherwise exempt from disclosure under applicable law. If you are not the intended recipient(s) or have received this message in error, you are instructed to immediately notify the sender by return email and required to delete this message from your computer system. This communication does not form any contractual obligation on behalf of the sender, the sender's employer or such employer's parent company, affiliates or subsidiaries. |
From: psy <ro...@lo...> - 2010-11-14 05:32:16
|
* Ubuntu/Debian: http://xsser.sourceforge.net/xsser/xsser_1.0-2_all.deb.tar.gz * Archlinux (added to AUR): http://aur.archlinux.org/packages.php?ID=43447 === psy. |
From: psy <ro...@lo...> - 2010-11-14 05:28:58
|
Hi, After this two good news: - XSSer added to Backtrack - XSSer added to PacketStormSecurity Is time to code. This is the provisional planning for this next milestone of XSSer. Please all help with this tasks is welcome. https://n-1.cc/pg/tasks/group:15466/viewtasks new features: - implement HTTP splitting techniques - implement DCP final injections - implement CSRF (under review) - implement auto recheck system code fixing: - fix code fluxes (options launcher) - fix some code points (marked at XXX) new implementations: - visual interfaz experimental: - heuristic testing - elgg daemon docs: - translate from spanish to english this paper: "XSS for fun and profit" - create pdf + html files with: "How to XSSer" Idea is finish this tasks before the end of this month. Regards. psy. |
From: psy <ro...@lo...> - 2010-11-11 05:59:25
|
Hi, Now is possible to download a XSSer v1.0 .deb package to install the framework on your Debian systems. You can download directly here: http://xsser.sourceforge.net/xsser/xsser_1.0-2_all.deb.tar.gz Enjoy it. psy. |
From: psy <ro...@lo...> - 2010-11-07 22:27:43
|
XSSer v1.0 -official- aka "The Mosquito" released. Take the code !! http://downloads.sourceforge.net/xsser/xsser-1.0.tar.gz <http://downloads.sourceforge.net/xsser/xsser-1.0.tar.gz> Have this new implementations: - Added "final remote injections" option - Cross Flash Attack! - Cross Frame Scripting - Data Control Protocol Injections - Base64 (rfc2397) PoC - OnMouseMove PoC - Browser launcher - Code clean - Bugfixing - New options menu - Pre-check system - Crawler spidering clones - More advanced statistics system - "Mana" ouput results ================= _Official Website: _ http://xsser.sourceforge.net/ <http://xsser.sourceforge.net/> ================= <http://xsser.sourceforge.net/> #XSSer Community : <http://xsser.sourceforge.net/> - Lorea.org: https://n-1.cc/pg/groups/15466/xsser/ <https://n-1.cc/pg/groups/15466/xsser/> - Identi.ca: https://identi.ca/group/xsser <https://identi.ca/group/xsser> - Twitter: https://twitter.com/lord_epsylon/xsser <https://twitter.com/lord_epsylon/xsser> ================= Time to fly the mosquito togheter... Happy cross hacking!! :D psy. |
From: psy <ro...@lo...> - 2010-11-05 08:50:15
|
Hi there, New version of XSSer ("The Mosquito") is practically finished. :) New implementations: - Added "final remote injections" option - Cross Flash Attack! - Cross Frame Scripting - Data Control Protocol Injections - Base64 (rfc2397) PoC - OnMouseMove PoC - Browser launcher - Code clean - Bugfixing (a lot) - New options menu - Pre-check system Now, i have 3 open "bugs" to close and finish all tasks proposed. Next step, create a Debian package. Next milestone (code clean + bugfixing + some anti-antiXSS technique + interface) I will upload next version when bugs are repaired (today/tomorrow), and Debian package this 10th of November. I am so excited. injections results are amazing!! :) Kisses. |
From: psy <ro...@lo...> - 2010-10-26 02:05:36
|
New version of XSSer is designed. v1.0 ("The mosquito") This is a "preview" of the new menu (appears better distributed): http://pastebin.com/xzB0ZPdt Is necessary to finish some tasks before. new features: - Final Remote (Insert your final code to inject -remotelly-) (ak.a "put your Worm here") - ONM - Insert 'OnMouseOver' vector(s) - FLA - Cross Flash Attack! - DCP injections - DOM injections - B64 exploit - Dorkers list update _tasks:_ -implement: flash attack! - (psy) -implement: onmouseover - (psy) -implement DCP -implement DOM -implement final remote - (psy) - finished -implement Base64 code encoding in META tag (rfc2397) exploit (psy) - finished -fix DoS option - (psy) -> really is fix all final injections systems. - working in. -fix crawler: engine + width + POST crawlering. -> IMPORTANT! -debian package (bencer + psy) -> list of subtasks created. -interfaz web (¿?) -> ¿next stage?, ¿some ideas?. ¿django? -XSSer manual - pdf with all. -package completion (contributors+readme+license+debian package requeriments...) This email is an invitation to do it togheter. All type of help is welcome. i proposed this next level for this 1 of November. psy. |
From: psy <ro...@lo...> - 2010-10-17 02:08:53
|
hi, this new feature (Final remote injections) is implemented correctly. here, you have a -real poc- with an example of command usage and results in an image. https://n-1.cc/pg/photos/view/49869/example-final-remote-injection-poc there is more surprises for this night :) see u. psy. |
From: psy <ro...@lo...> - 2010-10-16 23:57:10
|
Ok, all "final stage" planning for XSSer is finished. :) New features, new menu and last tasks to finish this "last" milestone are in this link (only for users with "developers access"): ((https://n-1.cc/mod/threaded_forums/topicposts.php?topic=49846&group_guid=15466)) As you can see developers, the tool take a real "XSSer ninja framework" form for the "official" release. :P Otherwise, the name for this last version is decided too, more info: "The mosquito manifesto" (https://n-1.cc/pg/blog/group:15466/read/49863/xsser-v10-the-mosquito-manifesto) remember, all types of help are welcome, Time to code!! :) psy. |
From: psy <ro...@lo...> - 2010-10-10 01:12:04
|
Thnks Krzysztof for your report. bug is fixed in -dev- version. correction will be published in next milestone (arround 20 Oct.). tasks proposed are in this link (you need to be registered to see it): https://n-1.cc/pg/tasks/group:15466 all help is welcome! psy. > Hi! > > POST requests actually don't work for me in XSSer, due to a typo in POST > header (Content-type) The charset is magled with the content type without a > "; " separator. Below is the the fix: > > Index: curlcontrol.py > =================================================================== > --- curlcontrol.py (wersja 12) > +++ curlcontrol.py (kopia robocza) > @@ -19,7 +19,7 @@ > proxy = None > delay = 8 > > - def __init__(self, base_url="", fakeheaders=[ 'Accept: image/gif, > image/x-bitmap, image/jpeg, image/pjpeg', 'Connection: Keep-Alive', > 'Content-type: application/x-www-form-urlencodedcharset=UTF-8' ]): > + def __init__(self, base_url="", fakeheaders=[ 'Accept: image/gif, > image/x-bitmap, image/jpeg, image/pjpeg', 'Connection: Keep-Alive', > 'Content-type: application/x-www-form-urlencoded; charset=UTF-8' ]): > self.handle = pycurl.Curl() > self.set_url(base_url) > self.verbosity = 0 > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > ------------------------------------------------------------------------ > > _______________________________________________ > Xsser-users mailing list > Xss...@li... > https://lists.sourceforge.net/lists/listinfo/xsser-users > |
From: Krzysztof K. <kko...@gm...> - 2010-10-09 23:44:25
|
Hi! POST requests actually don't work for me in XSSer, due to a typo in POST header (Content-type) The charset is magled with the content type without a "; " separator. Below is the the fix: Index: curlcontrol.py =================================================================== --- curlcontrol.py (wersja 12) +++ curlcontrol.py (kopia robocza) @@ -19,7 +19,7 @@ proxy = None delay = 8 - def __init__(self, base_url="", fakeheaders=[ 'Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg', 'Connection: Keep-Alive', 'Content-type: application/x-www-form-urlencodedcharset=UTF-8' ]): + def __init__(self, base_url="", fakeheaders=[ 'Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg', 'Connection: Keep-Alive', 'Content-type: application/x-www-form-urlencoded; charset=UTF-8' ]): self.handle = pycurl.Curl() self.set_url(base_url) self.verbosity = 0 -- Cheers, Krzysztof Kotowicz http://blog.kotowicz.net |
From: psy <ro...@lo...> - 2010-10-08 14:38:52
|
Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer (http://xsser.sf.net) ./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --publish Results of the botnet attack in real time: http://identi.ca/xsserbot01 http://twitter.com/xsserbot01 Reported: apróx 3.080 websites vulnerables. psy. |
From: psy <ro...@lo...> - 2010-09-21 23:10:06
|
XSSer v1.0b -beta- "Federation edition" released. Have this new implementations: -Added an A-Xml exporter -ImageXSS auto-builder -New dorker engines (total 10) -Core cleaned -Bugfixing -Social Networking auto-publisher -Started federated- XSS (full disclosure) pentesting botnet. * - http://identi.ca/xsserbot01 * - http://twitter.com/xsserbot01 -[.....] =================0 Website: http://xsser.sourceforge.net/ Workgroup: https://n-1.cc/pg/groups/15466/xsser/ Code: http://downloads.sourceforge.net/xsser/xsser-1.0b.tar.gz =================0 I hope you enjoy it using XSSer, Now, all XSSer pentesters more togheter than ever. Happy cross hacking!! psy. |
From: psy <ro...@lo...> - 2010-09-21 19:31:13
|
Hello, Yes.... we have another version of XSSer ready to be released. this new version include more features and options. you will be noticed this week. but, for the moment, i can give you an example of a new feature correctly implemented: "the publisher" ;) XSSer have implemented a federated and distributed -full disclosure- XSS injections results output, That means, that we can -replicate- this bots to create a big botnet of XSS vulnerable sites/payloads. First -replicants- are: http://identi.ca/xsserbot01 http://twitter.com/xsserbot01 Try to subscribe to them and prepare yourself to the XSSer v0.1b new experience :P You will enjoy it! Bye. |
From: psy <ro...@lo...> - 2010-09-01 04:58:04
|
https://n-1.cc/pg/videolist/watch/42585 |
From: psy <ro...@lo...> - 2010-08-20 15:04:40
|
XSSer v0.7a -testing- "Black edition" released. Have this new implementations: -new 26 XSS vectors -POST connections -statistics -Url shorterers -IP OCTAL fuzzing vectors encoder -Post-processing payloading -DOM Shadows! -Cookie injector -Browser -client- DoS (Denegation of service) -added more screenshoots, videos and documentation. -[.....] =================0 Website: http://xsser.sourceforge.net/ Workgroup: https://n-1.cc/pg/groups/15466/xsser/ Code: http://downloads.sourceforge.net/xsser/xsser-0.7.tar.gz =================0 I hope you enjoy it using XSSer, Happy cross hacking!!! ;) |
From: john d. <the...@gm...> - 2010-08-05 20:25:18
|
Hey there!, Sorry for the long silence. Thank you for doing deep work on this issue. I would like to participate in the project, how can I do so. Thanks On Tue, Jul 20, 2010 at 1:25 PM, psy <ro...@lo...> wrote: > Hello there, > > I worked a bit in your propose john and i have some responses for you. > > of course, thanks for your report. > > *** discrepancy between XSSme and XSSer *** > > Target: http://www.go4bangladeshbusiness.com/ > ------------- > XSSMe 0.4.4 > ------------- > Unnamed Form 2 > *************** > - phrase: ANY > - Srchstr: > - filterby: SLR > - Search: Search > - domain: ALL > - cid: > - orderby: > > **Running all tests as possible.... > - 56 Vulnerabilities > - 770 XSS Strings > > ***Results... > > Blocked 2 hours later... > > 56/56 - 208/770 > > ---> Try to update your XSSMe version and re-launch this task john. > > ------------- > XSSMe 0.4.0 > ------------- > > *Results:* > > DOM was modified by attack string. Field appears to be very vulnerable to > > XSS String. > > Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> > > DOM was modified by attack string. Field appears to be very vulnerable to > > XSS String. > > Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT> > > The unencoded attack string was found in the html of the document. Other > > browsers may be vulnerable to this XSS string. > > Tested value: <SCRIPT <B>document.vulnerable=true;</SCRIPT> > > The unencoded attack string was found in the html of the document. Other > > browsers may be vulnerable to this XSS string. > > Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> > > The unencoded attack string was found in the html of the document. Other > > browsers may be vulnerable to this XSS string. > > Tested value: <IMG SRC="  javascript:document.vulnerable=true;"> > > The unencoded attack string was found in the html of the document. Other > > browsers may be vulnerable to this XSS string. > > Tested value: <BODY > > onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> > > > > and more > > > ------------- > XSSer v0.6a > ------------- > > You launched this command: > > XSSer.py -c3 --Cw=4 -u "http://www.go4bangladeshbusiness.com" > --user-agent="authorized-testing" --referer="www.[scrubbed].com" --Hex > --Str --Une --Dec > > That means: > > -c3: Crawlering 3 hierarchy parameters > --Cw=4: Visit 4 urls with crawler > -u : Target > --user-agent: Modify your User-Agent > --referer: Modify your Referer > --Hex: Encode *simple payload* in Hexadecimal > --Str: Rencode to Str, Une, Dec > > simple payload is: "><script>alert("XSS")</script> > > :::::: > Conclusions: > ------------ > 1) XSSMe have more different payloads to inject (is necessary to update > vectors.py of XSSer with more) --> nice ;) > 2) XSSer dont launch DOM attacks yet (next milestone have this task, > "How to implement DOM attacks") > 3) you are not launching XSSer to do the same tasks that XSSMe (your > test is only injecting a "simple payload" rere-encoded). > > Recomendations + example: > ------------- > Maybe is important to use --Fuzz (fuzzing) to inject all payloads that > XSSer have by default. > Of course, you can crawl more deep, but for an example -c3 --Cw4 is ok > (7 parameters max) > I putted more threads to speed up! > And reencode this fuzzing payloads "only" to Hexadecimal + > StrinFromCharCode. > > XSSer.py -c3 --Cw=4 -u "http://www.go4bangladeshbusiness.com" > --user-agent="authorized-testing" --referer="www.[scrubbed].com" --Fuzz > --Hex --Str --threads="10" --retries="5" > > x) XSSer will said you all browsers that you can inject a sucessfull > payload. > > > Hi Jhon, > > > > I am sorry but i am travelling so i havent a lot of time to response > emails. > > > > Did you see manually if injections with XSSme are correct? > > > > Maybe is necessary to re-code XSSer (remember that is alpha version, yet) > > > > Otherwise, thank you for your report. We can work togheter in fix it. > > > > Regards, > > > > > >> Hello all, > >> I have tested XSSME 0.4.4. and xsser 0.6a. I have launched > both > >> on the same site, and have different results. > >> > >> XSSME shows the following: > >> > >> XSS String Test Results > >> Srchstr > >> *Submitted Form State:* > >> > >> - phrase: ALL > >> - phrase: ANY > >> - filterby: BYR > >> - filterby: SLR > >> - Search: Search > >> - domain: ALL > >> - cid: > >> - orderby: > >> > >> *Results:* > >> DOM was modified by attack string. Field appears to be very vulnerable > to > >> XSS String. > >> Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> > >> DOM was modified by attack string. Field appears to be very vulnerable > to > >> XSS String. > >> Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT> > >> The unencoded attack string was found in the html of the document. Other > >> browsers may be vulnerable to this XSS string. > >> Tested value: <SCRIPT <B>document.vulnerable=true;</SCRIPT> > >> The unencoded attack string was found in the html of the document. Other > >> browsers may be vulnerable to this XSS string. > >> Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> > >> The unencoded attack string was found in the html of the document. Other > >> browsers may be vulnerable to this XSS string. > >> Tested value: <IMG SRC="  javascript:document.vulnerable=true;"> > >> The unencoded attack string was found in the html of the document. Other > >> browsers may be vulnerable to this XSS string. > >> Tested value: <BODY > >> onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> > >> > >> and more > >> > >> > >> XSSer says no vulnerabilities found. > >> > >> [*] Final Results: > >> > =========================================================================== > >> > >> - Total: 108 > >> - Failed: 108 > >> - Sucessfull: 0 > >> > >> > >> Command used: XSSer.py -c3 --Cw=4 -u " > http://www.go4bangladeshbusiness.com" > >> --user-agent="authorized-testing" --referer="www.[scrubbed].com" --Hex > --Str > >> --Une --Dec > >> > >> Is there a problem with xsser? > >> > >> Thanks, > >> -J > >> > >> > >> ------------------------------------------------------------------------ > >> > >> > ------------------------------------------------------------------------------ > >> This SF.net email is sponsored by Sprint > >> What will you do first with EVO, the first 4G phone? > >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > >> ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Xsser-users mailing list > >> Xss...@li... > >> https://lists.sourceforge.net/lists/listinfo/xsser-users > >> > >> > > > > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by Sprint > > What will you do first with EVO, the first 4G phone? > > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > > _______________________________________________ > > Xsser-users mailing list > > Xss...@li... > > https://lists.sourceforge.net/lists/listinfo/xsser-users > > > > > > |
From: psy <ro...@lo...> - 2010-07-20 20:26:07
|
Hello there, I worked a bit in your propose john and i have some responses for you. of course, thanks for your report. *** discrepancy between XSSme and XSSer *** Target: http://www.go4bangladeshbusiness.com/ ------------- XSSMe 0.4.4 ------------- Unnamed Form 2 *************** - phrase: ANY - Srchstr: - filterby: SLR - Search: Search - domain: ALL - cid: - orderby: **Running all tests as possible.... - 56 Vulnerabilities - 770 XSS Strings ***Results... Blocked 2 hours later... 56/56 - 208/770 ---> Try to update your XSSMe version and re-launch this task john. ------------- XSSMe 0.4.0 ------------- *Results:* > DOM was modified by attack string. Field appears to be very vulnerable to > XSS String. > Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> > DOM was modified by attack string. Field appears to be very vulnerable to > XSS String. > Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <SCRIPT <B>document.vulnerable=true;</SCRIPT> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <IMG SRC="  javascript:document.vulnerable=true;"> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <BODY > onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> > > and more ------------- XSSer v0.6a ------------- You launched this command: XSSer.py -c3 --Cw=4 -u "http://www.go4bangladeshbusiness.com" --user-agent="authorized-testing" --referer="www.[scrubbed].com" --Hex --Str --Une --Dec That means: -c3: Crawlering 3 hierarchy parameters --Cw=4: Visit 4 urls with crawler -u : Target --user-agent: Modify your User-Agent --referer: Modify your Referer --Hex: Encode *simple payload* in Hexadecimal --Str: Rencode to Str, Une, Dec simple payload is: "><script>alert("XSS")</script> :::::: Conclusions: ------------ 1) XSSMe have more different payloads to inject (is necessary to update vectors.py of XSSer with more) --> nice ;) 2) XSSer dont launch DOM attacks yet (next milestone have this task, "How to implement DOM attacks") 3) you are not launching XSSer to do the same tasks that XSSMe (your test is only injecting a "simple payload" rere-encoded). Recomendations + example: ------------- Maybe is important to use --Fuzz (fuzzing) to inject all payloads that XSSer have by default. Of course, you can crawl more deep, but for an example -c3 --Cw4 is ok (7 parameters max) I putted more threads to speed up! And reencode this fuzzing payloads "only" to Hexadecimal + StrinFromCharCode. XSSer.py -c3 --Cw=4 -u "http://www.go4bangladeshbusiness.com" --user-agent="authorized-testing" --referer="www.[scrubbed].com" --Fuzz --Hex --Str --threads="10" --retries="5" x) XSSer will said you all browsers that you can inject a sucessfull payload. > Hi Jhon, > > I am sorry but i am travelling so i havent a lot of time to response emails. > > Did you see manually if injections with XSSme are correct? > > Maybe is necessary to re-code XSSer (remember that is alpha version, yet) > > Otherwise, thank you for your report. We can work togheter in fix it. > > Regards, > > >> Hello all, >> I have tested XSSME 0.4.4. and xsser 0.6a. I have launched both >> on the same site, and have different results. >> >> XSSME shows the following: >> >> XSS String Test Results >> Srchstr >> *Submitted Form State:* >> >> - phrase: ALL >> - phrase: ANY >> - filterby: BYR >> - filterby: SLR >> - Search: Search >> - domain: ALL >> - cid: >> - orderby: >> >> *Results:* >> DOM was modified by attack string. Field appears to be very vulnerable to >> XSS String. >> Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> >> DOM was modified by attack string. Field appears to be very vulnerable to >> XSS String. >> Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT> >> The unencoded attack string was found in the html of the document. Other >> browsers may be vulnerable to this XSS string. >> Tested value: <SCRIPT <B>document.vulnerable=true;</SCRIPT> >> The unencoded attack string was found in the html of the document. Other >> browsers may be vulnerable to this XSS string. >> Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> >> The unencoded attack string was found in the html of the document. Other >> browsers may be vulnerable to this XSS string. >> Tested value: <IMG SRC="  javascript:document.vulnerable=true;"> >> The unencoded attack string was found in the html of the document. Other >> browsers may be vulnerable to this XSS string. >> Tested value: <BODY >> onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> >> >> and more >> >> >> XSSer says no vulnerabilities found. >> >> [*] Final Results: >> =========================================================================== >> >> - Total: 108 >> - Failed: 108 >> - Sucessfull: 0 >> >> >> Command used: XSSer.py -c3 --Cw=4 -u "http://www.go4bangladeshbusiness.com" >> --user-agent="authorized-testing" --referer="www.[scrubbed].com" --Hex --Str >> --Une --Dec >> >> Is there a problem with xsser? >> >> Thanks, >> -J >> >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Sprint >> What will you do first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Xsser-users mailing list >> Xss...@li... >> https://lists.sourceforge.net/lists/listinfo/xsser-users >> >> > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Xsser-users mailing list > Xss...@li... > https://lists.sourceforge.net/lists/listinfo/xsser-users > > |
From: psy <ro...@lo...> - 2010-07-18 21:31:41
|
Hi Jhon, I am sorry but i am travelling so i havent a lot of time to response emails. Did you see manually if injections with XSSme are correct? Maybe is necessary to re-code XSSer (remember that is alpha version, yet) Otherwise, thank you for your report. We can work togheter in fix it. Regards, > Hello all, > I have tested XSSME 0.4.4. and xsser 0.6a. I have launched both > on the same site, and have different results. > > XSSME shows the following: > > XSS String Test Results > Srchstr > *Submitted Form State:* > > - phrase: ALL > - phrase: ANY > - filterby: BYR > - filterby: SLR > - Search: Search > - domain: ALL > - cid: > - orderby: > > *Results:* > DOM was modified by attack string. Field appears to be very vulnerable to > XSS String. > Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> > DOM was modified by attack string. Field appears to be very vulnerable to > XSS String. > Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <SCRIPT <B>document.vulnerable=true;</SCRIPT> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <IMG SRC="  javascript:document.vulnerable=true;"> > The unencoded attack string was found in the html of the document. Other > browsers may be vulnerable to this XSS string. > Tested value: <BODY > onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> > > and more > > > XSSer says no vulnerabilities found. > > [*] Final Results: > =========================================================================== > > - Total: 108 > - Failed: 108 > - Sucessfull: 0 > > > Command used: XSSer.py -c3 --Cw=4 -u "http://www.go4bangladeshbusiness.com" > --user-agent="authorized-testing" --referer="www.[scrubbed].com" --Hex --Str > --Une --Dec > > Is there a problem with xsser? > > Thanks, > -J > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > ------------------------------------------------------------------------ > > _______________________________________________ > Xsser-users mailing list > Xss...@li... > https://lists.sourceforge.net/lists/listinfo/xsser-users > |
From: john d. <the...@gm...> - 2010-07-17 22:52:07
|
Hello all, I have tested XSSME 0.4.4. and xsser 0.6a. I have launched both on the same site, and have different results. XSSME shows the following: XSS String Test Results Srchstr *Submitted Form State:* - phrase: ALL - phrase: ANY - filterby: BYR - filterby: SLR - Search: Search - domain: ALL - cid: - orderby: *Results:* DOM was modified by attack string. Field appears to be very vulnerable to XSS String. Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> DOM was modified by attack string. Field appears to be very vulnerable to XSS String. Tested value: <SCRIPT>document.vulnerable=true;</SCRIPT> The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string. Tested value: <SCRIPT <B>document.vulnerable=true;</SCRIPT> The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string. Tested value: <<SCRIPT>document.vulnerable=true;//<</SCRIPT> The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string. Tested value: <IMG SRC="  javascript:document.vulnerable=true;"> The unencoded attack string was found in the html of the document. Other browsers may be vulnerable to this XSS string. Tested value: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=document.vulnerable=true;> and more XSSer says no vulnerabilities found. [*] Final Results: =========================================================================== - Total: 108 - Failed: 108 - Sucessfull: 0 Command used: XSSer.py -c3 --Cw=4 -u "http://www.go4bangladeshbusiness.com" --user-agent="authorized-testing" --referer="www.[scrubbed].com" --Hex --Str --Une --Dec Is there a problem with xsser? Thanks, -J |
From: psy <ro...@lo...> - 2010-07-01 19:06:57
|
Hi there, I am very excited to present a new release of XSSer (Cross Site Scripter). I think that will help to open new ways to XSS injections. XSSer v0.6a aka "XSSer Storm!" supports this new features: -g DORK Process search engine dork results as target urls (ex:inurl:vulnerable.asp?id=) --Ge=DORK_ENGINE Search engine to use for dorking (scroogle, duck, altavista, bing) -c CRAWLING Crawl target hierarchy parameters (can be slow!) --Cw=CRAWLING_WIDTH Number of urls to visit when crawling --Dfo Encodes fuzzing IP addresses in DWORD format Core code was cleaned, some bugs fixed and new documentation was attached. You can see more info here: http://xsser.sourceforge.net/ Or download directly from here: http://downloads.sourceforge.net/xsser/xsser-0.6.tar.gz So for me thats all, enjoy it and of course... Happy cross hacking!!! :) |
From: psy <ro...@lo...> - 2010-06-29 15:46:44
|
Hi there, First milestone for XSSer <http://xsser.sourceforge.net/> tool will finish this Thusday (1 July). The idea is to develop the "first stage" of the Roadmap <https://n-1.cc/pg/pages/view/15478/> and play python togheter, of course :D For that, we can use the irc freenode channel *#xsser* (irc.freenode.net), and we have a gobby room in a server listening to us. So, if you wanna "inject XSS" and contribute to this tool, is good time to join the party. I hope to see you :P ------------------ Blog notice: https://n-1.cc/pg/blog/group:15466/read/27258/xsser-hackaton-247 |
From: psy <ro...@lo...> - 2010-05-08 21:32:40
|
Hi list, I just implemented some new ideas for the roadmap. 1)- CACHE system for vulnerable and non vulnerable sites 2)- AUTOTEST. This option include some "test" templates for XSS; non-persistent, persistent and (maybe) DOM. Autotest: 1- Persistent: + Iframe inyection + DDoS (i dont know if write this part, or put like a "fortune cookie" ;) + Alert + Proxy (connect to an external server) -> Tunneling/XSS Proxy <- the most enjoy part of or the whole tool :P 2- Non-Persistent: +Cookie stealer +Alert +Proxy 3- DOM?: +List of vectors I hope your comments. Bye. |
From: psy <ro...@lo...> - 2010-04-18 23:10:41
|
+patched reported bugs +added HTTPS support Now is possible to inject in "https://host..." |
From: psy <ro...@lo...> - 2010-03-22 07:19:19
|
+added some documentation +added "inject your own payload" Very usefull payloading. You can inject your own payloads applying all the different -bypassers- of XSSer. Remember this. You always need to input XSS in the payload for create de ofuscation hashing. Examples: 1) simple: python XSSer.py -u "http://host.com" --payload "<script>XSS</script>" 2) advance: Injection from url, with postdata parameters, using your own payload, mode verbose and with encoding mutations python XSSer.py -u "http://host.com" -p "?a[]=" --payload '"><img src=x onerror=alert(XSS);>' --verbose --Cem "Hex,Str,Str,Une" Of course, now you can already be unstoppable. ;) |