xsser detects but nothing happens. about xsser HOT 13 CLOSED

yeah .. now it shows the false positives ... one of the reason why i could not find anything before..
Thanks.

from xsser.

Well... That you do not see the result on the website, does not mean that it is a program error..

Have you tried to inject some other post-exploitation script, for example, that gives you an alert ()?

ex: xsser -u "https://www.thiswebsite.com/" -g "blablabla?countryName=Default&default%27b%27Country=XSS" -v --reverse-check --reverse-open --Fp "<script>alert(XSS);</script>"

Have you searched for the hash of a found injection (ex: c43a28532b76082519cb67ffe92794ca) in the resulting source code?

from xsser.

On the other hand. Do you know if the target website is using some AJAX?
Sometimes, even if the vector is injectable, the result is not where we expect it. If you think it uses javascript for the answers, try also playing with the 'BlindXSS' options (ex: --checkaturl = ALT)

from xsser.

Well... That you do not see the result on the website, does not mean that it is a program error..

Have you tried to inject some other post-exploitation script, for example, that gives you an alert ()?

ex: xsser -u "https://www.thiswebsite.com/" -g "blablabla?countryName=Default&default%27b%27Country=XSS" -v --reverse-check --reverse-open --Fp "<script>alert(XSS);</script>"

Have you searched for the hash of a found injection (ex: c43a28532b76082519cb67ffe92794ca) in the resulting source code?

yes. the hash is in the source code...

from xsser.

When trying a --reverse-check combined with --reverse-open and just after discover a vulnerability, you should have open a browser with a message (ex: "thanks for coming!" / "success"...). Do you reach that message on your tests?. There we can found vector discovered without the need to find it on target's source code.

from xsser.

See.. that is the one im not getting.. the browser opens with --reverse-check option. ..but there were no messages of any whatsoever... :(

from xsser.

the browser opens with --reverse-check option.

you mean... when --reverse-open. OK!. Maybe you haven't assigned a default web-browser on your system. Let's try to open it, manually. This reverse-service is operating at: localhost:19084. So, after discover a vulnerability, just open a browser and enter this location. You should see that messages this way.

from xsser.

command i used:
xsser -u https://www.website.com -c 20 --Cl --reverse-check --reverse-open

[Info] Generating 'token' url:

https://www.website.com/account/login/"><script>document.location=document.location.hash.substring(1)</script>"><script>document.location=document.location.hash.substring(1)</script>#http://localhost:19084/success/fe484f90bedef383dc254fcf248d8a87

from xsser.

OK!. Looks that something is wrong on your box, when opening a new socket... You need to allow a port to be opened in 19084, in localhost (127.0.0.1). Do you have that busy port?. Do you have sufficient privileges?

from xsser.

hi i have full root privileges, i also did a check on port 19084. I ran SimpleHTTPServer on port 19084 and it works. There is nothing blocking it. So as you can see it is not the privilege isssue.

from xsser.

Look at the error message at your comment: #55 (comment)

localhost refused to connect

What about 127.0.0.1 != localhost?. Did you tried to change that url?

from xsser.

Hi @Sublist3r, I am checking this issue, that looks related to a problem with "false positives" results, also described at this other thread: #56

from xsser.

A) This issue (the part related with a false positive result) should be fixed after this commit: 93897b2
B) Error opening a socket looks like a user environment problem.

from xsser.