Closed flyingorange7 closed 6 years ago
epsylon
commented
6 years ago EDIT: Haven't updated XSSer in 3-4 weeks is that the issue? will update and confirm the same -> Well, Keywords also are working better from latest commit so... try it again and we review your issue. Thanks for your report.
flyingorange7
commented
6 years ago Hello,
Thanks for the response, I am a new user, my apologies for the inconvenience.
I want a pop - up to appear on my screen to show details of the cookie
So ideally to do so my URL must look like so:
http://192.168.2.18/mutillidae/index.php?page=dns-lookup.php/"><script>alert(document.cookie);</script>
This was my command passed:
xsser -u "http://192.168.2.18/mutillidae/index.php?page=dns-lookup.php" --payload="<script>alert(document.cookie);</script>"
XSSer tried to attack the following URL when this command was passed:
http://192.168.2.18/mutillidae/index.php?page=dns-lookup.php/<script>alert(document.cookie);</script>
The above URL does not have "> tag after dns-lookup.php/
Therefore intended attack is not done correctly and "No XSS vulnerability found" message is given.
To verify the same, I passed the first URL directly and got the expected answer (alert message with details of the cookie)
Look forward to your response. Thanks
EDIT: in my previous comment, I used "<script>alert('Hello!');</script>" as my payload,faced the same error. Also attempted to force insert "> tag by including it in the payload ""><script>alert('Hello!');</script>" but as expected xsser gives an error due to ""
EDIT: Below attached is a screenshot of the same
epsylon
commented
6 years ago The above URL does not have "> tag after dns-lookup.php/ -> because you aren't spelling it on your manual payload: xsser -u "http://192.168.2.18/mutillidae/index.php?page=dns-lookup.php" --payload="" You should try: xsser -u "http://192.168.2.18/mutillidae/index.php?page=dns-lookup.php" --payload='">' I am using " for vector (classic one when not manual payload launch) and ' for payload, to close correctly that script on the command line. Do you see what I mean?
epsylon
commented
6 years ago OK, you edited. I see, you also checked to include "> on payload, right?. Lets try to debug a bit more. Try launch with -v to see how HTTP are built. Also sounds intersting if you can run a transparent proxy, so we can see also how injection is made.
epsylon
commented
6 years ago Another TIP. You are mixing cookies, with 'XSS' alerts, etc... Well, normally you can exploit all this scenarios (some other users have used XSSer against that app that you are using, so I know a bit server side), but sometimes, you only can use numbers (for examples). It is nice when reporting always to go ahead with same example and don't enter to much variables during it. ;-)
flyingorange7
commented
6 years ago Hello epsylon, I apologize for the delay.
As suggested I did use -v, but except for few additional details regarding the session, I could not find anything about how the HTTP was constructed.
epsylon
commented
6 years ago I could not find anything about how the HTTP was constructed. You need try a transparent proxy (burp, polipo, etc..) to intercept/analize HTTP requests. Look how other users are using it for debugging tasks: https://github.com/epsylon/xsser/issues/28
Hello, I've been trying to use the --payload command on mutillidae's DNS lookup page. I already know (by manual injection) that should work. but while passing it through --payload="" the XSSer tries http://192.168.2.9/mutillidae/index.php?page=dns-lookup.php/ My intended response was rather http://192.168.2.9/mutillidae/index.php?page=dns-lookup.php/ "> The URL (in bold) is a failed injection while the one below is a successful one. How do I get it to work? my exact command was: xsser -u "http://192.168.2.9/mutillidae/index.php?page=dns-lookup.php" --payload="" is a clean method to distinguish, payload from vector.
What means 'My intended response ' for you?.
Issue working with --no-head (SSL related) has been fixed on latest commit.