lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 3 Mar 2020 12:22:57 +0100
From: psy <epsylon@...eup.net>
To: fulldisclosure@...lists.org
Subject: [FD] XSSer v.1.8[3] - "The HiV€!" released

Hi FD,

I am glad to present a new release of this tool:

  - https://xsser.03c8.net

---------

"Cross Site "Scripter" (aka XSSer) is an automatic -framework- to
detect, exploit and report XSS vulnerabilities in web-based
applications. It provides several options to try to bypass certain
filters and various special techniques for code injection."

---------

XSSer has pre-installed [ > 1300 XSS ] attacking vectors and can
bypass-exploit code on several browsers/WAFs:

 - [PHPIDS]: PHP-IDS
 - [Imperva]: Imperva Incapsula WAF
 - [WebKnight]: WebKnight WAF
 - [F5]: F5 Big IP WAF
 - [Barracuda]: Barracuda WAF
 - [ModSec]: Mod-Security
 - [QuickDF]: QuickDefense
 - [Chrome]: Google Chrome
 - [IE]: Internet Explorer
 - [FF]: Mozilla's Gecko rendering engine, used by Firefox/Iceweasel
 - [NS-IE]: Netscape in IE rendering engine mode
 - [NS-G]: Netscape in the Gecko rendering engine mode
 - [Opera]: Opera

---------

This release (v1.8.3) called "The HiV€!" has added this new changes:

 * Modified/Updated: anti false positives checkers
 * Added: internal 'headless' browser: gecko/firefox engine
 * Modified/Updated: --reverse-check (GET/POST) (local/remote)
 * Removed: --reverse-open
 * Modified/Updated: DOM attack (added vectors: 13)
 * Modified/Updated: GTK+
 * Added: Requirements
 * Updated: Documentation
 * Updated: Website
 * [...]

---

"I have advanced considerably all the options related to --reverse-open,
so that the tool, once discovered a vulnerability, tries to establish a
tunnel between the target and XSSer. In this way we can certify 100%
that a vulnerability is exploitable..."

+ POC [HTTP POST/REMOTE): https://xsser.03c8.net/xsser/thehive7.png

   shell-1: sudo tcpdump -i any port 19084 -A

   shell-2: python3 xsser --auto -u
"http://testphp.vulnweb.com/search.php?test=query" -p
"searchFor=XSS&goButton=go" --reverse-check

---------

Code/Packages:

  * [source]:

  - https://code.03c8.net/epsylon/xsser

---

  * [mirror1]:

  - https://github.com/epsylon/xsser

  * [mirror2]:

  - https://sourceforge.net/p/xsser/code/ci/master/tree/

--------

  * [.zip]:

  - https://xsser.03c8.net/xsser/xsser_1.8-3.zip

  * [.tar.gz]:

  - https://xsser.03c8.net/xsser/xsser_1.8-3.tar.gz

---

  * [.tar.gz.torrent]

  - https://xsser.03c8.net/xsser/xsser_1.8-3.tar.gz.torrent


  * [.zip.torrent]

  - https://xsser.03c8.net/xsser/xsser_1.8-3.zip.torrent

-------------------------

Happy "Cross" Hacking! ;-)


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists