xsser detects but nothing happens.

[Sublist3r]

Describe the bug

xsser shows: You have found: [ 4 ] XSS vector(s)! -> [100% VULNERABLE]

This is one of it from the 4 detected. example:

[+] Target: https://www.thiswebsite.com/blablabla??countryName=Default&default%27b%27Country=XSS [+] Vector: [ default'b'Country ] [!] Method: URL [] Hash: c43a28532b76082519cb67ffe92794ca [] Payload: https://www.thiswebsite.com/blablabla?countryName=Default&default%27b%27Country=%22%3Ec43a28532b76082519cb67ffe92794ca [!] Vulnerable: [IE7.0|IE6.0|NS8.1-IE] [NS8.1-G|FF2.0] [O9.02] [!] Status: XSS FOUND!

so i copied the entire link from above(website name changed) and pasted on browser. I do not see anything change. The website loads normal but i don't see any vulnerability on the website.

https://www.thiswebsite.com/blablabla?countryName=Default&default%27b%27Country=%22%3Ec43a28532b76082519cb67ffe92794ca

To Reproduce 1 . $xsser -u https://www.thiswebsite/ -c 20 --Cl --reverse-check

Expected behavior should be able to see the vulnerability on the website modified.

Screenshots If applicable, add screenshots to help explain your problem.

Running environment:

• XSSer version - 1.8.2
• Installation method - git
• Operating system: - 5.4.0-2parrot1-amd64
• Python version - Python 3.7.5 & Python 2.7.17

Target details:

• XSS techniques found by xsser [e.g. DOM-Based XSS]
• WAF/IPS [if any]
• Relevant console output [if any]
• Exception traceback [if any]

Additional context Add any other context about the problem here.

---

[epsylon]

Well... That you do not see the result on the website, does not mean that it is a program error..

Have you tried to inject some other post-exploitation script, for example, that gives you an alert ()?

ex: xsser -u "https://www.thiswebsite.com/" -g "blablabla?countryName=Default&default%27b%27Country=XSS" -v --reverse-check --reverse-open --Fp "<script>alert(XSS);</script>"

Have you searched for the hash of a found injection (ex: c43a28532b76082519cb67ffe92794ca) in the resulting source code?

[epsylon]

On the other hand. Do you know if the target website is using some AJAX? Sometimes, even if the vector is injectable, the result is not where we expect it. If you think it uses javascript for the answers, try also playing with the 'BlindXSS' options (ex: --checkaturl = ALT)

[Sublist3r]

Well... That you do not see the result on the website, does not mean that it is a program error..

Have you tried to inject some other post-exploitation script, for example, that gives you an alert ()?

ex: xsser -u "https://www.thiswebsite.com/" -g "blablabla?countryName=Default&default%27b%27Country=XSS" -v --reverse-check --reverse-open --Fp "<script>alert(XSS);</script>"

Have you searched for the hash of a found injection (ex: c43a28532b76082519cb67ffe92794ca) in the resulting source code?

yes. the hash is in the source code...

[epsylon]

When trying a --reverse-check combined with --reverse-open and just after discover a vulnerability, you should have open a browser with a message (ex: "thanks for coming!" / "success"...). Do you reach that message on your tests?. There we can found vector discovered without the need to find it on target's source code.

[jepunband]

See.. that is the one im not getting.. the browser opens with --reverse-check option. ..but there were no messages of any whatsoever... :(

[epsylon]

the browser opens with --reverse-check option.

you mean... when --reverse-open. OK!. Maybe you haven't assigned a default web-browser on your system. Let's try to open it, manually. This reverse-service is operating at: localhost:19084. So, after discover a vulnerability, just open a browser and enter this location. You should see that messages this way.

[Sublist3r]

command i used: xsser -u https://www.website.com -c 20 --Cl --reverse-check --reverse-open

---

[Info] Generating 'token' url:

https://www.website.com/account/login/">">#http://localhost:19084/success/fe484f90bedef383dc254fcf248d8a87

[epsylon]

OK!. Looks that something is wrong on your box, when opening a new socket... You need to allow a port to be opened in 19084, in localhost (127.0.0.1). Do you have that busy port?. Do you have sufficient privileges?

[Sublist3r]

hi i have full root privileges, i also did a check on port 19084. I ran SimpleHTTPServer on port 19084 and it works. There is nothing blocking it. So as you can see it is not the privilege isssue.

[epsylon]

Look at the error message at your comment: https://github.com/epsylon/xsser/issues/55#issuecomment-584638490

localhost refused to connect

What about 127.0.0.1 != localhost?. Did you tried to change that url?

[epsylon]

Hi @Sublist3r, I am checking this issue, that looks related to a problem with "false positives" results, also described at this other thread: https://github.com/epsylon/xsser/issues/56

[epsylon]

A) This issue (the part related with a false positive result) should be fixed after this commit: https://github.com/epsylon/xsser/commit/93897b24d37ca30b8507387d1cc9418a427e876f B) Error opening a socket looks like a user environment problem.

[Sublist3r]

yeah .. now it shows the false positives ... one of the reason why i could not find anything before.. Thanks.