-

XSSer – Automated Framework Tool to Detect and Exploit XSS vulnerabilities

XSS
XSS is a very commonly exploited vulnerability type which is very widely spreadand easily detectable for XSS.
An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site [Read More].
Cross Site “Scripter” (aka XSSer) is an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.

Installation XSSer – XSS

XSSer runs on many platforms. It requires Python and the following libraries:
- python-pycurl - Python bindings to libcurl
- python-xmlbuilder - create xml/(x)html files - Python 2.x
- python-beautifulsoup - error-tolerant HTML parser for Python
- python-geoip - Python bindings for the GeoIP IP-to-country resolver library
To install on Debian-based systems
sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip

Usage

To list all the features XSSer Package   “xsser -h”
root@kali:~# xsser -h
XSSER automated framework to detect, exploit and report XSS vulnerabilities
To launch a simple Injection attack
root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker”
XSSER automated framework to detect, exploit and report XSS vulnerabilities
XSSER automated framework to detect, exploit and report XSS vulnerabilities

Injection from Dork, by selecting “google” as search engine:

root@kali:~# xsser –De “google” -d “search.php?q=”
XSSER automated framework to detect, exploit and report XSS vulnerabilities
In This KaliLinux Tutorial, To perform Multiple injections from URL, with Automatic payload, establishing a reverse connection.
xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –auto –reverse-check -s
XSSER automated framework to detect, exploit and report XSS vulnerabilities
Simple URL Injection, using GET, injecting on Cookie and using DOM shadow

Parameter filtering with heuristics

root@kali:~# xsser -u “http://192.168.169.130/xss/example1.php?name=hacker” –heuristic
XSSER automated framework to detect, exploit and report XSS vulnerabilitiesXSSER automated framework to detect, exploit and report XSS vulnerabilities

To Launch GUI Interface

root@kali:~# xsser –gtk
You can also use TOR proxy with XSSer.

Key Features

  • Injection with both GET and POST methods.
  • Includes various filters and bypassing techniques.
  • can be used both with the command line and GUI.
  • Will provide detailed stats of the attack.

Common Defenses against XSS

  • What input do we trust?
  • Does it adhere to expected patterns?
  • Never simply reflect untrusted data.
  • Applies to data within our database too.
  • Encoding of context(Java/attribute/HTML/CSS).

கருத்துகள்

கருத்துரையிடுக

இந்த வலைப்பதிவில் உள்ள பிரபலமான இடுகைகள்

SIPVicious using kali linux

-
படம்
SIPVicious February 18, 2014 Sniffing/Spoofing SIPVicious Package Description SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools:. svmap – this is a sip scanner. Lists SIP devices found on an IP range svwar – identifies active extensions on a PBX svcrack – an online password cracker for SIP PBX svreport – manages sessions and exports reports to various formats svcrash – attempts to stop unauthorized svwar and svcrack scans. Source: https://code.google.com/p/sipvicious/ SIPVicious Homepage  |  Kali SIPVicious Repo Author: Sandro Gauci License: GPLv2 Tools included in the sipvicious package svcrack – Online password cracker for SIP PBX root@kali:~# svcrack -h Usage: svcrack -u username [options] target examples: svcrack -u100 -d dictionary.txt 10.0.0.1 svcrack -u100 -r1-9999 -z4 10.0.0.1 Options:   --version             show program's ver...
மேலும் படிக்கவும்
-
படம்
Acoustic Attack Against HDDs Can Cause Permanent Damage CCTV DVR, PCs, ATMs Hard disks play a vital role in numerous computing systems including, personal computers, closed-circuit television (CCTV) systems, medical bedside monitors, and automated teller machines (ATMs). Security researchers from Purdue University show that an attacker can use acoustic sound to cause significant vibrations in HDDs internal components.They show even if a small displacement in the head leads to malfunction with HDD operation and can cause permanent damage. HDD Acoustic Attack An HDD consists of two components the platters and the read-write heads. The data will be stored in platters and the read/write operations performed by heads. If the attacker can create the acoustic signals nearer to victim device in audible frequencies by using an external speaker or any other device may result in remote software exploitation which allows an attacker to deceive the user to play a malicious sound attach...
மேலும் படிக்கவும்

Three Major Categories of Telecom Fraud

-
படம்
A Guide to Detecting and Preventing Telecom Fraud According to the Federal Trade Commission, telecom fraud continues to account for more and more fraud complaints each year. The numbers continue to grow and new technology has led to an onslaught of new telecom fraud tactics. The latest schemes are difficult to track and investigate because of their frequency, their layers of anonymity, and their global nature. This guide will help you learn about the different types of telecom fraud and industry best practices for detection and prevention. Three Major Categories of Telecom Fraud We will divide the many telecom fraud schemes into three broad categories, based on who the fraudsters are targeting. These categories are: Schemes to Defraud Telecom Service Providers These schemes are the most complicated, and exploit telecom service providers using stimulated traffic, SIP trunking, regulatory loopholes, and more. Schemes to Defraud Subscribers This is simply any scheme that...
மேலும் படிக்கவும்