Closed galapogos closed 6 years ago
Hi,
I had a similar problem and tried to investigate a litte further.
My setting: I have a Kali Linux VM and my aim is a DVWA running on 192.168.0.3. Make sure you have the newest version of XSSer, the version shipped with my Kali Linux did not replace 'XSS' in POSTDATA.
1. Empty POSTDATA
The command I used was:
./xsser -u "http://192.168.0.3/vulnerabilities/xss_s/" -p "txtName=Eve&mtxMessage=XSS&btnSign=Sign+Guestbook" --cookie "PHPSESSID=8257069907ff7323fda7f8a7213b2528; security=low"
And I received
[+] Trying: http://192.168.0.3/vulnerabilities/xss_s/ (POST: )
Using Burp I saw that the request indeed had no POSTDATA included.
Solution: --no-head
solved it for me.
2. Check fails
After adding --no-head
, the POST request was all fine and the injection worked (I saw the injection on the website), BUT the check of XSSer failed and told me the injection was not successful. The reason for that is that the value url_orig_hash
is set to a value X in line 603 of main.py. This value is, as far as I saw, included in the POSTDATA and it is indeed the value I saw injected on the website. In line 659 url_orig_hash
is set again to a value Y. This is the value XSS used to check if the injection was successful. Since X != Y
hold, the injection was declared as not successful.
I don't have a solution for this since I am not sure I understood all things happening the code but this is the reason for my failing POST injection.
@galapogos I think it is related with the keyword (1) that you are using as payload to inject. XSSer will detect on target's code 'XSS'. This is created that way to evade multiple false positives.
Try to change your injection payload this way:
`xsser --statistics --verbose --url='http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900' -p "Username=XSS&SUBMIT=Search" --cookie='JSESSIONID=133E98839FD47DF220A3AF26DB42C219' --checkmethod=POST --payload="aaa%3Cscript%3Ealert(XSS)%3C%2Fscript%3E" --proxy="http://localhost:8080"
@leisipeisi I will review that -> Solution: --no-head solved it for me. `
Hi, I'm having some problems injecting simple XSS into POST method. My setup is as follows: A Kali Linux 2017.1 VM with xxser 1.7b A WebGoat vulnerable web-app installed on a Debian 9.10 VM Both VMs are running on a host Windows 10 machine.
I'm able to inject a simple "aaa" in the WebGoat "Phishing with XSS" page to get an alert.
However, when I run the following xsser command, I'm unable to get the alert, and xsser shows a failed injection.
xsser --statistics --verbose --url='http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900' -p "Username=XSS&SUBMIT=Search" --cookie='JSESSIONID=133E98839FD47DF220A3AF26DB42C219' --checkmethod=POST --payload="aaa%3Cscript%3Ealert(1)%3C%2Fscript%3E" --proxy="http://localhost:8080"
xsser output:Apparently xsser didn't replace the XSS in the POSTDATA with the payload, but rather, just appended it to the end of the POSTDATA. This was confirmed in Burp Suite.
After modifying the command to the following:
xsser --statistics --verbose --url='http://192.168.247.128/WebGoat/attack?Screen=1382523204&menu=900' -p "SUBMIT=Search&Username=XSS" --cookie='JSESSIONID=133E98839FD47DF220A3AF26DB42C219' --checkmethod=POST --payload="aaa%3Cscript%3Ealert(1)%3C%2Fscript%3E" --proxy="http://localhost:8080"
I get the following output:
This time, checking the response in Burp Suite shows that the alert is indeed inside. However, xsser still reports a failed injection. I notice that only HEAD and POST methods were logged in Burp Suite when xsser runs, but during manual injection with a browser, POST and quite a few GETs were logged. This is also confirmed in the server logs shown below.
Server logs for manual injection:
Server logs for xsser injection:
There seems to be 2 things wrong here: