epsylon/xsser

GitHub: epsylon/xsser

XSSer 是一款自动化 XSS 漏洞检测与利用框架,用于在 Web 应用中大规模发现、验证并报告跨站脚本漏洞。

Stars: 1455 | Forks: 268

![XSSer](https://xsser.03c8.net/xsser/blackswarm_banner.png "XSSer v1.9 - Bl4ck Swarm!") + 网站:https://xsser.03c8.net Cross Site "Scripter"(又名 XSSer)是一个自动化 -框架-,用于检测、利用和报告基于 Web 的应用程序中的 XSS 漏洞。 它提供了多种尝试绕过特定过滤器的选项,以及用于代码注入的各种特殊技术。 主要功能: ``` - [ > 1500 ] pre-installed XSS attacking vectors (automatic fuzzing). - Validation: each finding is verified for real executability. A context-aware engine tells apart executable contexts (HTML, JS, event handlers, javascript:/data: URIs) from harmless reflections, with an optional headless-browser reverse connection (--reverse-check) to confirm findings and cut false positives. - Targeting: URL, file, stdin/pipe, raw HTTP request (-r), 'dorking' (multiple engines) and crawler. - Injection: GET/POST, Cookie/User-Agent/Referer, DOM and HTTP Response Splitting. - Evasion: per-WAF bypassers + character-encoding bypassers; proxy/Tor; client-certificate auth. - Reporting: PDF (professional), XML and JSON (for CI / pipelines). ``` 它还可以在多个 WAF 上进行绕过和利用代码: ``` [Cloudflare]: Cloudflare WAF [Akamai]: Akamai (Kona / App & API Protector) [AWS]: AWS WAF [Azure]: Azure Front Door WAF [Imperva]: Imperva (Incapsula / Cloud WAF) [F5]: F5 BIG-IP ASM / Advanced WAF [Barracuda]: Barracuda WAF [ModSec]: Mod-Security + OWASP CRS v3 [Wordfence]: Wordfence (WordPress) [Sucuri]: Sucuri (CloudProxy) [FortiWeb]: Fortinet FortiWeb [WebKnight]: AQTRONIX WebKnight ``` ![XSSer](https://xsser.03c8.net/xsser/blackswarm_options.png "XSSer v1.9 - WAF Bypassers & Encoders") #### 安装: XSSer 可以在许多平台上运行。它需要 Python(3.x)以及以下库: ``` - python3-pycurl - Python bindings to libcurl (Python 3) - python3-bs4 - error-tolerant HTML parser for Python 3 - python3-geoip - Python3 bindings for the GeoIP IP-to-country resolver library - python3-gi - Python 3 bindings for gobject-introspection libraries - python3-selenium - Python3 bindings for Selenium - firefoxdriver - Firefox WebDriver support - ddgs - DuckDuckGo search library (used by the 'dorking' engine) - fpdf2 - PDF generation library (used by the '--pdf' report exporter) ``` 在基于 Debian 的系统(例如:Ubuntu)上,运行: ``` sudo apt-get install python3-pycurl python3-bs4 python3-geoip python3-gi python3-selenium firefoxdriver python3-fpdf2 ``` 在其他系统上,例如:Kali、Ubuntu、ArchLinux、ParrotSec、Fedora 等……也可以运行: ``` sudo pip3 install pycurl bs4 pygeoip PyGObject selenium ddgs fpdf2 ``` #### 源码库: * Python: https://www.python.org/downloads/ * PyCurl: http://pycurl.sourceforge.net/ * PyBeautifulSoup4: https://pypi.org/project/beautifulsoup4/ * PyGeoIP: https://pypi.org/project/pygeoip/ * PyGObject: https://pypi.org/project/gobject/ * PySelenium: https://pypi.org/project/selenium/ * ddgs: https://pypi.org/project/ddgs/ * fpdf2: https://pypi.org/project/fpdf2/ #### 许可证: XSSer 是在 GPLv3 下发布的。你可以在 [LICENSE](./docs/LICENSE) 文件中找到完整的许可证文本。 #### 截图: ![XSSer](https://xsser.03c8.net/xsser/blackswarm_shell.png "XSSer Shell") ![XSSer](https://xsser.03c8.net/xsser/blackswarm_dorking.png "XSSer Dorking (multiple engines)") ![XSSer](https://xsser.03c8.net/xsser/blackswarm_gui.png "XSSer GTK GUI") ![XSSer](https://xsser.03c8.net/xsser/blackswarm_gui_waf.png "XSSer GUI - Anti-antiXSS/IDS WAF Bypassers") ![XSSer](https://xsser.03c8.net/xsser/blackswarm_gui_bypasser.png "XSSer GUI - Encoders & Bypassers") ![XSSer](https://xsser.03c8.net/xsser/blackswarm_report.png "XSSer PDF Report") ![XSSer](https://xsser.03c8.net/xsser/blackswarm_map.png "XSSer GeoMap")
标签:CISA项目, Elastic, Python, Web安全, XSS, 无后门, 漏洞情报, 蓝队分析, 逆向工具