Varbaek / Xsser
Licence: other
From XSS to RCE 2.75 - Black Hat Europe Arsenal 2017 + Extras
Stars: ✭ 381
Programming Languages
python
139335 projects - #7 most used programming language
Labels
Projects that are alternatives of or similar to Xsser
Findom Xss
A fast DOM based XSS vulnerability scanner with simplicity.
Stars: ✭ 310 (-18.64%)
Mutual labels: xss
Owasp Java Encoder
The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
Stars: ✭ 343 (-9.97%)
Mutual labels: xss
Application Security Engineer Interview Questions
Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer
Stars: ✭ 267 (-29.92%)
Mutual labels: xss
Javacodeaudit
Getting started with java code auditing 代码审计入门的小项目
Stars: ✭ 289 (-24.15%)
Mutual labels: xss
Bxss
bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
Stars: ✭ 331 (-13.12%)
Mutual labels: xss
xss-chef
A web application for generating custom XSS payloads
Stars: ✭ 70 (-81.63%)
Mutual labels: xss
Vuejs Serverside Template Xss
Demo of a Vue.js app that mixes both clientside templates and serverside templates leading to an XSS vulnerability
Stars: ✭ 278 (-27.03%)
Mutual labels: xss
Commodity Injection Signatures
Commodity Injection Signatures, Malicious Inputs, XSS, HTTP Header Injection, XXE, RCE, Javascript, XSLT
Stars: ✭ 267 (-29.92%)
Mutual labels: xss
Lamp Cloud
lamp-cloud 基于Jdk11 + SpringCloud + SpringBoot的微服务快速开发平台,其中的可配置的SaaS功能尤其闪耀, 具备RBAC功能、网关统一鉴权、Xss防跨站攻击、自动代码生成、多种存储系统、分布式事务、分布式定时任务等多个模块,支持多业务系统并行开发, 支持多服务并行开发,可以作为后端服务的开发脚手架。代码简洁,注释齐全,架构清晰,非常适合学习和企业作为基础框架使用。
Stars: ✭ 4,125 (+982.68%)
Mutual labels: xss
XSS-Cheatsheet
XSS Cheatsheet - A collection of XSS attack vectors https://xss.devwerks.net/
Stars: ✭ 26 (-93.18%)
Mutual labels: xss
Noscript
The popular NoScript Security Suite browser extension.
Stars: ✭ 366 (-3.94%)
Mutual labels: xss
Scaner
扫描器是来自GitHub平台的开源扫描器的集合,包括子域枚举、数据库漏洞扫描器、弱密码或信息泄漏扫描器、端口扫描器、指纹扫描器以及其他大规模扫描仪、模块扫描器等。对于其他著名的扫描工具,如:awvs、nmap,w3af将不包含在集合范围内。
Stars: ✭ 357 (-6.3%)
Mutual labels: xss
XSSER
Presentation
- From XSS to RCE 2.75 - Black Hat Europe Arsenal 2017
Demo
- Version 2.0 - 2015: https://www.youtube.com/playlist?list=PLIjb28IYMQgqqqApoGRCZ_O40vP-eKsgf
- Version 2.5 - 2016: https://www.youtube.com/playlist?list=PLRic6PgcrsWGkgacL6WFnSQKVRZIoofRj
- Version 2.75 - 2017: None Currently Available
Requirements
- Python (2.7.*, version
2.7.14
was used for development and testing) - Msfconsole (accessible via environment variables)
- Netcat (nc)
- PyGame (pip install pygame)
- jsmin (new dependency - pip install jsmin)
- xterm (previously gnome and bash)
To install the Python dependencies, you can run the following command:
pip install -r requirements.txt
If you're using a virtual environment, then you may need to use the full list:
pip install -r requirements-all-libraries-used.txt
For installation instructions on Ubuntu 16.04.1 LTS, please refer to the wiki: https://github.com/Varbaek/xsser/wiki
Removed Dependencies:
- Gnome (switched to xterm)
- Bash (only tested in bash, but should work in other terminals)
- cURL (switched to native python requests)
Payload Compatibility
- Chrome (2018) - Tested live at Black Hat Arsenal 2017 and during extras development.
- Firefox - Untested - Should still work as available JS features are almost the same.
WordPress Lab
- WordPress http://wordpress.org/
- Better WP Security 3.5.3 http://www.exploit-db.com/wp-content/themes/exploit/applications/c6d6beb3c11bc58856e15218d512b851-better-wp-security.3.5.3.zip
- Optional: WPSEO https://yoast.com/wordpress/plugins/seo/
WordPress Exploit
Joomla Lab
- Joomla https://www.joomla.org/
- SecurityCheck 2.8.9 https://www.exploit-db.com/apps/543ccd00b06d24be139d7e18212a0916-com_securitycheck_j3x-2.8.9.zip
Joomla Exploit
Directories
- Audio: Contains remixed audio notifications.
- Exploits: Contains DirtyCow (DCOW) privilege escalation exploits.
- Hello_Shell: Contains a Joomla extension backdoor, which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with ?c=ls or ?c64=base64_here. This directory was originally placed in "Joomla_Backdoor".
- Payloads/javascript: Contains the JavaScript payloads.
- Received_Data: Empty directory which will be used in future versions.
- Shells: Contains the PHP shells, including a slightly modified version of pentestmonkey's shell that connects back via wget to send the attacker a notification of success.
Developed By
- Hans-Michael Varbaek
- VarBITS
Special Credits
- MaXe / InterN0T
- Sense of Security (Versions 2.0 - 2.5)
Code Design
- It works! (Again!)
- Still spaghetti code, but now with almost complete
PEP8
and possible refactoring in the future. - Just-In-Time for Black Hat Europe 2017
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].