[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 3 Mar 2020 12:22:57 +0100
From: psy <epsylon@...eup.net>
To: fulldisclosure@...lists.org
Subject: [FD] XSSer v.1.8[3] - "The HiV€!" released
Hi FD,
I am glad to present a new release of this tool:
- https://xsser.03c8.net
---------
"Cross Site "Scripter" (aka XSSer) is an automatic -framework- to
detect, exploit and report XSS vulnerabilities in web-based
applications. It provides several options to try to bypass certain
filters and various special techniques for code injection."
---------
XSSer has pre-installed [ > 1300 XSS ] attacking vectors and can
bypass-exploit code on several browsers/WAFs:
- [PHPIDS]: PHP-IDS
- [Imperva]: Imperva Incapsula WAF
- [WebKnight]: WebKnight WAF
- [F5]: F5 Big IP WAF
- [Barracuda]: Barracuda WAF
- [ModSec]: Mod-Security
- [QuickDF]: QuickDefense
- [Chrome]: Google Chrome
- [IE]: Internet Explorer
- [FF]: Mozilla's Gecko rendering engine, used by Firefox/Iceweasel
- [NS-IE]: Netscape in IE rendering engine mode
- [NS-G]: Netscape in the Gecko rendering engine mode
- [Opera]: Opera
---------
This release (v1.8.3) called "The HiV€!" has added this new changes:
* Modified/Updated: anti false positives checkers
* Added: internal 'headless' browser: gecko/firefox engine
* Modified/Updated: --reverse-check (GET/POST) (local/remote)
* Removed: --reverse-open
* Modified/Updated: DOM attack (added vectors: 13)
* Modified/Updated: GTK+
* Added: Requirements
* Updated: Documentation
* Updated: Website
* [...]
---
"I have advanced considerably all the options related to --reverse-open,
so that the tool, once discovered a vulnerability, tries to establish a
tunnel between the target and XSSer. In this way we can certify 100%
that a vulnerability is exploitable..."
+ POC [HTTP POST/REMOTE): https://xsser.03c8.net/xsser/thehive7.png
shell-1: sudo tcpdump -i any port 19084 -A
shell-2: python3 xsser --auto -u
"http://testphp.vulnweb.com/search.php?test=query" -p
"searchFor=XSS&goButton=go" --reverse-check
---------
Code/Packages:
* [source]:
- https://code.03c8.net/epsylon/xsser
---
* [mirror1]:
- https://github.com/epsylon/xsser
* [mirror2]:
- https://sourceforge.net/p/xsser/code/ci/master/tree/
--------
* [.zip]:
- https://xsser.03c8.net/xsser/xsser_1.8-3.zip
* [.tar.gz]:
- https://xsser.03c8.net/xsser/xsser_1.8-3.tar.gz
---
* [.tar.gz.torrent]
- https://xsser.03c8.net/xsser/xsser_1.8-3.tar.gz.torrent
* [.zip.torrent]
- https://xsser.03c8.net/xsser/xsser_1.8-3.zip.torrent
-------------------------
Happy "Cross" Hacking! ;-)
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists