[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] XSSer v.1.8[3] - "The HiV€!" released

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] XSSer v.1.8[3] - "The HiV€!" released
From: psy <epsylon@xxxxxxxxxx>
Date: Tue, 3 Mar 2020 12:22:57 +0100

Hi FD,

I am glad to present a new release of this tool:

  - https://xsser.03c8.net

---------

"Cross Site "Scripter" (aka XSSer) is an automatic -framework- to
detect, exploit and report XSS vulnerabilities in web-based
applications. It provides several options to try to bypass certain
filters and various special techniques for code injection."

---------

XSSer has pre-installed [ > 1300 XSS ] attacking vectors and can
bypass-exploit code on several browsers/WAFs:

 - [PHPIDS]: PHP-IDS
 - [Imperva]: Imperva Incapsula WAF
 - [WebKnight]: WebKnight WAF
 - [F5]: F5 Big IP WAF
 - [Barracuda]: Barracuda WAF
 - [ModSec]: Mod-Security
 - [QuickDF]: QuickDefense
 - [Chrome]: Google Chrome
 - [IE]: Internet Explorer
 - [FF]: Mozilla's Gecko rendering engine, used by Firefox/Iceweasel
 - [NS-IE]: Netscape in IE rendering engine mode
 - [NS-G]: Netscape in the Gecko rendering engine mode
 - [Opera]: Opera

---------

This release (v1.8.3) called "The HiV€!" has added this new changes:

 * Modified/Updated: anti false positives checkers
 * Added: internal 'headless' browser: gecko/firefox engine
 * Modified/Updated: --reverse-check (GET/POST) (local/remote)
 * Removed: --reverse-open
 * Modified/Updated: DOM attack (added vectors: 13)
 * Modified/Updated: GTK+
 * Added: Requirements
 * Updated: Documentation
 * Updated: Website
 * [...]

---

"I have advanced considerably all the options related to --reverse-open,
so that the tool, once discovered a vulnerability, tries to establish a
tunnel between the target and XSSer. In this way we can certify 100%
that a vulnerability is exploitable..."

+ POC [HTTP POST/REMOTE): https://xsser.03c8.net/xsser/thehive7.png

   shell-1: sudo tcpdump -i any port 19084 -A

   shell-2: python3 xsser --auto -u
"http://testphp.vulnweb.com/search.php?test=query"; -p
"searchFor=XSS&goButton=go" --reverse-check

---------

Code/Packages:

  * [source]:

  - https://code.03c8.net/epsylon/xsser

---

  * [mirror1]:

  - https://github.com/epsylon/xsser

  * [mirror2]:

  - https://sourceforge.net/p/xsser/code/ci/master/tree/

--------

  * [.zip]:

  - https://xsser.03c8.net/xsser/xsser_1.8-3.zip

  * [.tar.gz]:

  - https://xsser.03c8.net/xsser/xsser_1.8-3.tar.gz

---

  * [.tar.gz.torrent]

  - https://xsser.03c8.net/xsser/xsser_1.8-3.tar.gz.torrent


  * [.zip.torrent]

  - https://xsser.03c8.net/xsser/xsser_1.8-3.zip.torrent

-------------------------

Happy "Cross" Hacking! ;-)

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components
Next by Date: [FD] ELF launcher for encrypted binaries decrypted on-the-fly and executed in memory
Previous by thread: Re: [FD] Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components
Next by thread: [FD] ELF launcher for encrypted binaries decrypted on-the-fly and executed in memory
Index(es):
- Date
- Thread