Browsing category
XSSizer helps penetration testers, bug hunters and other security professionals to easily detect such vulnerabilities and produces a ready-to-use PoC exploit for demostration. According to WikiPedia Cross-site scripting is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A […]
XSpear is a XSS Scanner on ruby gems with tons of features for exploiting XSS. Key features Pattern matching based XSS scanning Detect alert confirm prompt event on headless browser (with Selenium) Testing request/response for XSS protection bypass and reflected params Reflected Params Filtered test event handler HTML tag Special Char Testing Blind XSS (with […]
XSS Chef is a small React.js application inspired by CyberChef, which provides users with a modular way to build JavaScript payloads to typically be used during penetration tests to demonstrate cross-site scripting vulnerabilities. A live copy of the application can be found here. What Can I Do with XSS Chef? The current set of recipes can […]
JShell – Get a JavaScript shell with XSS. Usages Run shell.py and JShell will automatically try to detect your IP address, default LPORT is 33. As you can see the payload has been generated and now all you have to do is to deliver this payload to the victim. As soon as you do that, […]
XSS Shell is powerful XSS backdoor and a zombie manager. Using XSS Shell one can interactively send requests and get responses from victim and it allows you to keep the control of session. Features: Regenerating Pages This is one of the key and advanced features of XSS Shell. XSS Shell re-renders the infected page and keep […]
XSStrike is an advanced XSS detection suite. It has a powerful fuzzing engine and provides zero false positive result using fuzzy matching. XSStrike is the first XSS scanner to generate its own payloads. It is intelligent enough to detect and break out of various contexts. Features Powerful fuzzing engine Context breaking technology Intelligent […]
CookieCatcher is an open source application that allows you perform session hijacking (cookie stealing) through XSS (cross site scripting). Features Prebuilt payloads to steal cookie data Just copy and paste payload into an XSS vulnerability Will send email notification when new cookies are stolen Will attempt to refresh cookies every 3 minutes to avoid inactivity […]
Give it a URL and it’ll test every link it finds for cross-site scripting and some SQL injection vulnerabilities. See FAQ for more details about SQLi detection. From within the main folder run: ./xsscrapy.py -u http://example.com If you wish to login then crawl: ./xsscrapy.py -u http://example.com/login_page -l loginname If you wish to login with HTTP […]
This presentation demonstrates how an attacker can utilise XSS to execute arbitrary code on the web server when an administrative user inadvertently triggers a hidden XSS payload. Custom tools and payloads integrated with Metasploit’s Meterpreter in a highly automated approach will be demonstrated live, including post-exploitation scenarios and interesting data that can be obtained from […]