search

epsylon / xsser

Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
https://xsser.03c8.net
1.17k stars 238 forks source link

Question: XSS attack via headers manipulation #11

Closed walterdolce closed 8 years ago

walterdolce commented 8 years ago

Hi, is it possible with xsser to automatically send payloads within request headers?

One example could be to change the HTTP User-Agent header in a request and send it. The reason I ask is because there are many applications and software packages out there which store such info within their database structure, therefore opening themselves to stored XSS vulnerabilities.

By the look of the parameters which the tool provides I didn't see anything related to this, or am I missing something?

Thanks!

epsylon commented 8 years ago

Hi, I don't know if I understand you but you have some options to inject code on headers.

--headers=HEADERS Extra HTTP headers newline separated

Also, you can set XSA (Cross Site Agent) or XRS (Cross Site Referer) to apply vectors on that parameteres of HTTP Headers. Is that what you ask?

walterdolce commented 8 years ago

Hmm. But that would mean I should specify one payload at a time if using the --header parameter is that correct?

What I ask is basically to have xsser do the usual work it does for a query string parameter but for headers.

epsylon commented 8 years ago

You can add some 'keywords' to Headers. For example, when manually injection you can add 'XSS' to whatever parameter and it will be changed for a unique hash.

Or if you add PAYLOAD, it is changed by the payload set (which is an Alert() message by default) and if you add VECTOR, it is changed by whole XSS vector.

http://xsser.03c8.net/xsser/url_generation.png

So for example, if you want to inject XSS to: X-Client-IP (HTTP Parameter), you can add it to --headers using that keywords mentioned before...

-- headers=..... X-Client-IP:VECTOR

Is that what you ask?

walterdolce commented 8 years ago

Cool, thanks for pointing that out. I will try and report back later on.

In the meantime, does xsser make use of a payloads database like xenotix?

I would like to run xsser repeatedly against my target with several attack payloads and not just "alert".

epsylon commented 8 years ago

XSSer is using some pre-defined vectors, divided by type of XSS attack, than you can find at: "core/fuzzing/"

You can use it different combinations for exploiting, not just an "alert" box. With ---payload you can build your own discovering code, and with --Fp (Final Payload) or --Fr (Final Remote) you can exploit also your own locally/remotely.

So you should haven't any problem to perform your needs...