Comments (13)
yeah .. now it shows the false positives ... one of the reason why i could not find anything before..
Thanks.
from xsser.
Well... That you do not see the result on the website, does not mean that it is a program error..
Have you tried to inject some other post-exploitation script, for example, that gives you an alert ()?
ex: xsser -u "https://www.thiswebsite.com/" -g "blablabla?countryName=Default&default%27b%27Country=XSS" -v --reverse-check --reverse-open --Fp "<script>alert(XSS);</script>"
Have you searched for the hash of a found injection (ex: c43a28532b76082519cb67ffe92794ca) in the resulting source code?
from xsser.
On the other hand. Do you know if the target website is using some AJAX?
Sometimes, even if the vector is injectable, the result is not where we expect it. If you think it uses javascript for the answers, try also playing with the 'BlindXSS' options (ex: --checkaturl = ALT)
from xsser.
Well... That you do not see the result on the website, does not mean that it is a program error..
Have you tried to inject some other post-exploitation script, for example, that gives you an alert ()?
ex:
xsser -u "https://www.thiswebsite.com/" -g "blablabla?countryName=Default&default%27b%27Country=XSS" -v --reverse-check --reverse-open --Fp "<script>alert(XSS);</script>"
Have you searched for the hash of a found injection (ex: c43a28532b76082519cb67ffe92794ca) in the resulting source code?
yes. the hash is in the source code...
from xsser.
When trying a --reverse-check combined with --reverse-open and just after discover a vulnerability, you should have open a browser with a message (ex: "thanks for coming!" / "success"...). Do you reach that message on your tests?. There we can found vector discovered without the need to find it on target's source code.
from xsser.
See.. that is the one im not getting.. the browser opens with --reverse-check option. ..but there were no messages of any whatsoever... :(
from xsser.
the browser opens with --reverse-check option.
you mean... when --reverse-open. OK!. Maybe you haven't assigned a default web-browser on your system. Let's try to open it, manually. This reverse-service is operating at: localhost:19084. So, after discover a vulnerability, just open a browser and enter this location. You should see that messages this way.
from xsser.
command i used:
xsser -u https://www.website.com -c 20 --Cl --reverse-check --reverse-open
[Info] Generating 'token' url:
https://www.website.com/account/login/"><script>document.location=document.location.hash.substring(1)</script>"><script>document.location=document.location.hash.substring(1)</script>#http://localhost:19084/success/fe484f90bedef383dc254fcf248d8a87
from xsser.
OK!. Looks that something is wrong on your box, when opening a new socket... You need to allow a port to be opened in 19084, in localhost (127.0.0.1). Do you have that busy port?. Do you have sufficient privileges?
from xsser.
hi i have full root privileges, i also did a check on port 19084. I ran SimpleHTTPServer on port 19084 and it works. There is nothing blocking it. So as you can see it is not the privilege isssue.
from xsser.
Look at the error message at your comment: #55 (comment)
localhost refused to connect
What about 127.0.0.1 != localhost?. Did you tried to change that url?
from xsser.
Hi @Sublist3r, I am checking this issue, that looks related to a problem with "false positives" results, also described at this other thread: #56
from xsser.
A) This issue (the part related with a false positive result) should be fixed after this commit: 93897b2
B) Error opening a socket looks like a user environment problem.
from xsser.
Related Issues (20)
- Valueerror when install xsser in windows 8 32bit HOT 4
- --reverse-check fails due to initial cookies improperly added to second query with reverse payload HOT 10
- it seems not useful HOT 4
- Couldnt specify injection point HOT 1
- xsser can't find the attack place HOT 1
- Using python 3.5 TypeError: coercing to str: need a bytes-like object, NoneType found HOT 11
- Error HOT 2
- TypeError HOT 2
- TypeError HOT 1
- xsser can not working HOT 1
- xsser not working HOT 1
- Error execution HOT 1
- Mac (12.0.1) Installation HOT 1
- print result bug INT HOT 1
- Typo in main.py - "self.repot" HOT 1
- Infinity Landing gtk HOT 3
- pycurl installation error HOT 1
- Xsser calls not found on every parameter HOT 2
- Error] Not any valid source provided to start a test... Aborting! HOT 1
- UnboundLocalError: cannot access local variable 'payload_string' where it is not associated with a value HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xsser.