epsylon/xsser
GitHub: epsylon/xsser
XSSer 是一款自动化 XSS 漏洞检测与利用框架,用于在 Web 应用中大规模发现、验证并报告跨站脚本漏洞。
Stars: 1455 | Forks: 268

+ 网站:https://xsser.03c8.net
Cross Site "Scripter"(又名 XSSer)是一个自动化 -框架-,用于检测、利用和报告基于 Web 的应用程序中的 XSS 漏洞。
它提供了多种尝试绕过特定过滤器的选项,以及用于代码注入的各种特殊技术。
主要功能:
```
- [ > 1500 ] pre-installed XSS attacking vectors (automatic fuzzing).
- Validation: each finding is verified for real executability. A context-aware engine tells apart executable contexts (HTML, JS, event handlers, javascript:/data: URIs) from harmless reflections, with an optional headless-browser reverse connection (--reverse-check) to confirm findings and cut false positives.
- Targeting: URL, file, stdin/pipe, raw HTTP request (-r), 'dorking' (multiple engines) and crawler.
- Injection: GET/POST, Cookie/User-Agent/Referer, DOM and HTTP Response Splitting.
- Evasion: per-WAF bypassers + character-encoding bypassers; proxy/Tor; client-certificate auth.
- Reporting: PDF (professional), XML and JSON (for CI / pipelines).
```
它还可以在多个 WAF 上进行绕过和利用代码:
```
[Cloudflare]: Cloudflare WAF
[Akamai]: Akamai (Kona / App & API Protector)
[AWS]: AWS WAF
[Azure]: Azure Front Door WAF
[Imperva]: Imperva (Incapsula / Cloud WAF)
[F5]: F5 BIG-IP ASM / Advanced WAF
[Barracuda]: Barracuda WAF
[ModSec]: Mod-Security + OWASP CRS v3
[Wordfence]: Wordfence (WordPress)
[Sucuri]: Sucuri (CloudProxy)
[FortiWeb]: Fortinet FortiWeb
[WebKnight]: AQTRONIX WebKnight
```

#### 安装:
XSSer 可以在许多平台上运行。它需要 Python(3.x)以及以下库:
```
- python3-pycurl - Python bindings to libcurl (Python 3)
- python3-bs4 - error-tolerant HTML parser for Python 3
- python3-geoip - Python3 bindings for the GeoIP IP-to-country resolver library
- python3-gi - Python 3 bindings for gobject-introspection libraries
- python3-selenium - Python3 bindings for Selenium
- firefoxdriver - Firefox WebDriver support
- ddgs - DuckDuckGo search library (used by the 'dorking' engine)
- fpdf2 - PDF generation library (used by the '--pdf' report exporter)
```
在基于 Debian 的系统(例如:Ubuntu)上,运行:
```
sudo apt-get install python3-pycurl python3-bs4 python3-geoip python3-gi python3-selenium firefoxdriver python3-fpdf2
```
在其他系统上,例如:Kali、Ubuntu、ArchLinux、ParrotSec、Fedora 等……也可以运行:
```
sudo pip3 install pycurl bs4 pygeoip PyGObject selenium ddgs fpdf2
```
#### 源码库:
* Python: https://www.python.org/downloads/
* PyCurl: http://pycurl.sourceforge.net/
* PyBeautifulSoup4: https://pypi.org/project/beautifulsoup4/
* PyGeoIP: https://pypi.org/project/pygeoip/
* PyGObject: https://pypi.org/project/gobject/
* PySelenium: https://pypi.org/project/selenium/
* ddgs: https://pypi.org/project/ddgs/
* fpdf2: https://pypi.org/project/fpdf2/
#### 许可证:
XSSer 是在 GPLv3 下发布的。你可以在
[LICENSE](./docs/LICENSE) 文件中找到完整的许可证文本。
#### 截图:

")





标签:CISA项目, Elastic, Python, Web安全, XSS, 无后门, 漏洞情报, 蓝队分析, 逆向工具