All of you web application penetration testers, check out this release of XSSer version 0.7a, for it now has 26 new injections!
“XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.“
These are the changes:
- Added attack payloads to fuzzer (26 new injections).
- Added POST connections: Now you can inject on webforms.
- Added Statistics: reports with data about efficiency, connections, vectors, etc..
- Added URL Shorteners: Now, it is possible to have valid results in short links. for the moment support tinyurl and is.gd. your “malicious” code ready to share!!
- Added IP Octal: Spoofing for fuzzing vectors. Your remote/local IPs encoded in Octal.
- Added Post-processing payloads: When you see have a valid “hole/payload”, you can say to XSSer to prepare the real code that you want to inject.
- Added DOM Shadows: For this version, this implementation is a server side anti-logging feature. You can inject code using Document Object Model eval function, to evade some possible server IDS’s.
- Added Cookie injector: Now is possible to inject code on HTTP Cookie parameters automatically.
- Added Browser DoS (Denial of Service): Yes!!. If you have a valid payload to inject, XSSer will prepare you a code for share with victims who “collapse” their browsers. DoS of client browser ready for play friend -scripter-!
You can download XSSer version 0.7a here.
Searches leading to this post:
xsser tutorial
Tagged as: cross-site scripting, FireFox, HTTPS, Open Source, Web Application Penetration Testing, Web Application Scanner, xss attack, XSSer, XSSploit
New and updated version of RIPS v0.32 is out and ready for action. You can find our first post regarding RIPS here.
RIPS is a static source code analyser for vulnerabilities in PHP web applications.
It was released during the Month of PHP Security.
RIPS is written in PHP itself and can be controlled by a web interface.
Some features:
- detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more
- 5 verbosity levels for debugging your scan results
- mark vulnerable lines in source code viewer
- highlight specific variables in source code viewer
- user-defined function code by mouse-over on detected call
- list of all user-defined functions and program entry points (user input) connected to the source code viewer
- create CURL exploits for detected vulnerabilties with few clicks
- 7 different syntax highlighting colour schemata
- only minimal requirement is a local webserver with PHP and a browser (tested with Opera and Firefox)
Before using it we also recommend reading the paper (HTML, PDF) that the author has submitted to be aware of the limitations RIPS has, either due to static source code analysis or because of my implementation of it.
In short: RIPS is not ready yet for firing it on big code trees like wordpress.
Download RIPS 0.32 here
Searches leading to this post:
rips sql
Tagged as: cross-site scripting, RIPS, SQL Injection, xss
Today, we have a post from the Tales from the Crypto blog by Mr. Alun Jones!
“Cross-Site Scripting (XSS) – No Script Required” is a post by the author that demonstrates Cross-Site Scripting without scripting! It demonstrates a scriptless cross-site scripting, that can essentially rewrite your page without your knowledge.
The author has done an amazing job that we think needs an applause.
Tagged as: cross-site scripting, PPOTD
