search

epsylon / xsser

Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
https://xsser.03c8.net
1.21k stars 240 forks source link

xsser succeeds, but reports zero successes #40

Closed cherdt closed 5 years ago

cherdt commented 5 years ago

I am demo'ing xsser against a simple vulnerable web application I created (https://github.com/cherdt/noople).

I ran the following command:

/usr/bin/xsser -u http://127.0.0.1:5000 -g '/?q=XSS' --auto

Although xsser reports 558 injections and 558 failures, I can confirm that xsser was in fact successful on numerous attempts. I suspect I'm missing something from my command.

I am using xsser v1.7b on Kali Linux 4.19.

epsylon commented 5 years ago

Hi @cherdt Firstly, should be nice if you can upgrade your XSSer version to: v1.8.1 (current stable), because a lot of changes has been made since v1.7b. To have a more detailed output you can try to add: -v (verbose) to your spelling. Also you can add --reverse-check, but you aren't having any positive results so probably not need on your case. Finally I recommend you to use some transparent proxy, such as polipo or burp, to check for requests made and server side replies.

cherdt commented 5 years ago

Using the latest version worked beautifully!

- Injections: 1291
- Failed: 193
- Successful: 1098
- Accur: 85 %

Thanks for your help! If you end up migrating the code to Python3, let me know, I'd be happy to help out if I can.

epsylon commented 5 years ago

Great! :-) I am still thinking about Python3 refactoring tasks. Maybe I try some kind of hackathon (IRC/email) soon.

epsylon commented 5 years ago

@cherdt Good news! :D https://github.com/epsylon/xsser/issues/39#issuecomment-554634455 So, I hope you are ready to test the next relase of XSSer (v1.8.2) under Python3.