xsser not finding any vulnerability in DVWA

[monoluser]

I've set up a DVWA instance (http://www.dvwa.co.uk/) and had xsser find vulnerabilities in it. Unfortunately, nothing is found. Maybe I am doing anything wrong? xsser.txt

The commandline was: xsser -u "http://localhost/vulnerabilities/xss_r/" -g "?name=XSS" --cookie="PHPSESSID=14ksro241tdlv03j0poamv7e3m; security=low" --auto --no-head -v

[epsylon]

Hi @monoluser With that requests that you have sent in the log, I only ca see that they are arriving correctly to the server and that it return a 200-OK, so network layer is working. Let's make some questions in the way to solve your issue? Are GET parameters correctly formed (http://localhost/vulnerabilities/xss_r/?name=)? Did you tried using 127.0.0.1?. I see that "cookielist: []" on the reply made by server side is empty. Is that correct?. Are you trying to inject into some auht-realm? [..]

[monoluser]

Whoa! Thanks for your fast answer.

I don't know whether the parameters are correctly formed, just copied them from #33. What I'm actually looking for is a tool for detecting XSS vulnerabilities in LAN applications, as automatic as possible.

[epsylon]

I see @monoluser That user was wrong spelling commands. Check this replies https://github.com/epsylon/xsser/issues/33#issuecomment-438506196 and https://github.com/epsylon/xsser/issues/33#issuecomment-438506826 to that comment. XSSer works on any TCP/IP network. And you have nice automatic methodologies on it.

[grayguest]

i also have same problem, my commandline was: xsser -u "http://10.10.10.10:8008" -g "/vulnerabilities/xss_r/?name=" --cookie="PHPSESSID=pame9qi3ifpsj9jv5ergjdf1e0; security=medium" --proxy http://localhost:6000 --auto --no-head -s -v >> xsser.txt

i find my burp listen on 6000, the http request can not add payload.

[epsylon]

Hi @grayguest Can you try to spell your proxy using '127.0.0.1' instead of 'localhost', like "--proxy http://127.0.0.1:6000"?

[epsylon]

mostly related: https://github.com/epsylon/xsser/issues/38