Reverse-check , Not packets captured in port 19084

[geople]

Hello I am testing http://testphp.vulnweb.com/search.php?test=query which is a known vulnerable site for testing purposes. It has a real XSS vulnerability.

To Reproduce 1) tcpdump -i any port 19084 -A 2) python3 xsser --auto -u "http://testphp.vulnweb.com/search.php?test=query" -p "searchFor=XSS&goButton=go" --reverse-check

Result of the scan** ( only final part ) `==================================================

http://testphp.vulnweb.com/search.php?test=querysearchFor=

<button formaction=javascript:>Y&goButton=go<button formaction=javascript:>Y#http://localhost:19084/success/fa708f759885ce93f6eca7bf5ee22459

==================================================

CONGRATULATIONS!!! <-> This vector is doing a remote connection... So, is: 100% VULNERABLE! ;-)

http://testphp.vulnweb.com/search.php?test=query

==================================================

Final Results:

• Injections: 1291
• Failed: 4
• Successful: 1287
• Accur: 99.69016266460109 %

List of XSS injections:

You have found: 1287 XSS vector(s)! -> 100% VULNERABLE`

However,the tcpdump does not capture a single packet!

Running environment:

• XSSer 1.8.2 latest release
• Installation method git
• Operating system: Linux 5.3.0-kali3-amd64
• Python version: Python 3.7.5
• No virtualization

Target details: --Reverse-check check says that connection is successful but I am not able to capture any packet from that on port 19084.

Best Regards

[epsylon]

Hi @geople

Yes, you are right! ;-)

I have found some bytes-objects errors that aren't allowing tokens to arrive propertly, even when socket at port 19084 is correctly listening. Let me fix it.

Meanwhile, you can test if your socket on that port is launched correctly.

For example, when running on GTK/GUI mode, it goes open from start until end (and not just a snapshot to validate a payload as in shell mode). So, you can try this:

1) python3 xsser --gtk 2) sudo netstat -atunp | grep LISTEN | grep 19084

tcp 0 0 127.0.0.1:19084 0.0.0.0:* LISTEN 4565/python3.5

And not using GTK, but trying to catch that snapshot on time, this other way:

1) python3 xsser -u "http://testphp.vulnweb.com/search.php?test=query" -p "searchFor=XSS&goButton=go" --reverse-check 2) (as root) watch "netstat -atunp | grep LISTEN | grep 19084"

This feature should allows to several XSSer running on the same network to see/share results from others in -real time-, just visiting local IP ranges (ex: 192.168.1.23:19084/success/ed4021d42ca87fd47089dab4f437fb55) when a pentesting is being performanced, etc..

I will commit a patch for this, soon.

Many thanks for your report.

Cheers

[epsylon]

Hi again, @geople ...

I have advanced this option considerably, as well as other details of the tool, to launch a new version of the code (XSSer v1.8.3), soon.

Finally, your request is more to add a feature than to fix a bug, since the previous version did not contemplate being able to perform a --reverse-check using POST. It was only possible through GET, and in a very limited way. Either using your own browser, or it was only possible using the GTK mode, since it contains an embedded Mozilla engine.

With the new version, it is perfectly possible.

What I have done has been to add another engine, which runs in headless mode and remove the option: --reverse-open. It is no longer necessary to use the browser in any case.

In the same way, I have added a hashes validation system, between the sent and the received, so that you cannot get a message saying that it has arrived, if it really does not.

Through flags, everything is now well controlled. That said, a great advance, thanks to your report.

Greetings.

[geople]

Thanks for your dedication and your hard work! I will start testing after your new release !

[epsylon]

new release is practically ready... ;-)

[epsylon]

New release launched: https://github.com/epsylon/xsser/releases/tag/1.8.3