search

epsylon / xsser

Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
https://xsser.03c8.net
1.21k stars 240 forks source link

xsser can't find the attack place #69

Closed Webster1234 closed 4 years ago

Webster1234 commented 4 years ago

When I use the xsser to scan the dvwa,I run

"xsser -u "http://192.168.1.100/dvwa/vulnerabilities/" -g "xss_r/?name=" --cookie="security=low; PHPSESSID=uj3aruo7m4h2ea5k7frmbgil1u" -v -s --reverse-check"

and the xsser always return

"[Error] XSSer cannot find a correct place to start an attack. Aborting!..."

I make sure that dvwa xss reflections can be manual injection and the dvwa security is low .

Please help me to figure out this problem thanks

epsylon commented 4 years ago

Hi, @Webster1234 You need to use a keyword (XSS or X1S) for the fuzzer at the place in which you want to make injections.

For example: xsser -u "http://192.168.1.100/dvwa/vulnerabilities/" -g "xss_r/?**name=XSS**" --cookie="security=low; PHPSESSID=uj3aruo7m4h2ea5k7frmbgil1u" -v -s --reverse-check

Also, you have here a PoC (warning, can be a spoiler if you are playing for fun with the tool) of XSSer bypassing all the restrictions of this DVWA app (low, medium and high):

https://github.com/epsylon/xsser/issues/65#issuecomment-627069363