XSSer - Cross Site "Scripter"

automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications

v1.9 — "Bl4ck Swarm!" 1515 XSS vectors DOM DCP Blind-XSS HTTP Response Splitting XST Induced injection WAF bypassers Encoding bypassers Dorking Crawler GET / POST Heuristic PDF · XML · JSON Tor / Reverse proxy

#News

#Introduction

Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It provides several options to try to bypass certain filters and various special techniques for code injection.

Key features

Widely regarded as one of the most complete and influential XSS frameworks ever released — used, shipped, taught and cited across the security world since 2010.

  • [ > 1500 ] pre-installed XSS attacking vectors (automatic fuzzing).
  • Targeting: URL, file, stdin/pipe, raw HTTP request (-r), 'dorking' (multiple engines) and crawler.
  • Injection: GET/POST, Cookie/User-Agent/Referer, DOM and HTTP Response Splitting.
  • Evasion: per-WAF bypassers + character-encoding bypassers; proxy/Tor; client-certificate auth.
  • Validation: each finding is verified for real executability — a context-aware engine tells apart executable contexts (HTML, JS, event handlers, javascript:/data: URIs) from harmless reflections, with an optional headless-browser reverse connection to confirm findings and cut false positives.
  • Reporting: PDF (professional), XML and JSON (for CI / pipelines).

XSSer can bypass-exploit code on several WAFs:

[Cloudflare] Cloudflare WAF
[Akamai] Akamai (Kona / App & API Protector)
[AWS] AWS WAF
[Azure] Azure Front Door WAF
[Imperva] Imperva (Incapsula / Cloud WAF)
[F5] F5 BIG-IP ASM / Advanced WAF
[Barracuda] Barracuda WAF
[ModSec] Mod-Security + OWASP CRS v3
[Wordfence] Wordfence (WordPress)
[Sucuri] Sucuri (CloudProxy)
[FortiWeb] Fortinet FortiWeb
[WebKnight] AQTRONIX WebKnight

#Download

Latest stable: XSSer v1.9 "Bl4ck Swarm!"

$ wget https://xsser.03c8.net/xsser/xsser-1.9.tar.gz
$ tar xf xsser-1.9.tar.gz
$ cd xsser-1.9
$ sudo python3 setup.py install
$ xsser -h
$ xsser --gtk   # for the GUI

#Captures

Click any capture to open it full-size.

Shell
XSSer shell
Dorking (multiple engines)
XSSer dorking
WAF Bypassers & Encoders
XSSer options
GTK GUI
XSSer GUI
GUI: Anti-antiXSS / IDS (WAFs)
XSSer GUI WAFs
GUI: Encoders & Bypassers
XSSer GUI bypassers
GeoMap (dorking swarm)
XSSer GeoMap
PDF Report
XSSer PDF report

#Documentation

Talks & papers

References & recognition

Running strong since 2010, XSSer is one of the most widely-used and recognised open-source XSS frameworks in the world — shipped by default in the leading security distributions, featured in books and the security press, cited across academic research and taught in hundreds of tutorials.

Security distributions

Books & press

Academic research

Community & awards

#Installation

XSSer runs on many platforms. It requires Python (3.x) and the following libraries:

Install everything automatically (as root):

$ sudo python3 setup.py install

On Debian-based systems (ex: Ubuntu) you can also install the package directly:

$ sudo apt install ./xsser_1.9_all.deb

Or install the libraries manually:

$ sudo apt-get install python3-pycurl python3-bs4 python3-geoip python3-gi python3-selenium firefoxdriver python3-fpdf2
$ sudo pip3 install pycurl bs4 pygeoip PyGObject selenium ddgs fpdf2

#Source Code

XSSer can be cloned from different code repositories.

Official

https://code.03c8.net/epsylon/xsser

$ git clone https://code.03c8.net/epsylon/xsser

Mirror (GitHub)

https://github.com/epsylon/xsser

$ git clone https://github.com/epsylon/xsser

Mirror (SourceForge)

https://sourceforge.net/p/xsser/code/

$ git clone https://git.code.sf.net/p/xsser/code xsser

#Packages

XSSer v1.9: "Bl4ck Swarm!" latest

$ wget https://xsser.03c8.net/xsser/xsser_1.9_all.deb
$ sudo apt install ./xsser_1.9_all.deb
$ xsser --gtk   # for the GUI

XSSer v1.8.3: "The HiV€!"

XSSer v1.7.2b: "ZiKA-47 Swarm!"

XSSer v1.6: "Grey Swarm!"

#License

XSSer is released under the General Public License v3 and is copyrighted by psy.

#Support

This framework is actively looking for new sponsors and funding. If you or your organization has an interest in keeping XSSer alive, please contact directly.

Shop: thehackerstyle.com/store