XSSless - An Automated XSS Payload Generator

XSSless Python Tool

XSSless is an automated XSS payload generator written in python.

Usage:

1. Record request(s) with Burp proxy
2. Select request(s) you want to generate, then right click and select "Save items"
3. Use XSSless to generate your payload: ./xssless.py burp_export_file

Pwn!

Features:

  • Automated XSS payload generation from imported Burp proxy requests
  • Payloads are 100% asynchronous and won't freeze the user's browser
  • Payloads are optimized, but should be minimized by a third party tool
  • CSRF tokens can be easily extracted and set via the -p option
  • POST multipart is supported, along with XSS file uploading via the -f option
  • Payloads are dynamic and portable (due to relative URLs)
  • Self-propagation is now supported - meaning you can set a POST value to the payload itself!
  • Crazy JavaScript worms with no hassle!

Installation:

Download the latest XSSless:
git clone https://github.com/mandatoryprogrammer/xssless

Run the script:
./xssless.py -h


Example:

This is an example XSS payload output (uncompressed) that parses CSRF tokens and uploads a binary all via XSS!

Example command line usage:
./xssless.py -s -f=example_file_list.txt -p=example_csrf_token_list.txt file_upload

                      .__                        
___  ___  ______ _____|  |   ____   ______ ______
\  \/  / /  ___//  ___/  | _/ __ \ /  ___//  ___/
 >    <  \___ \ \___ \|  |_\  ___/ \___ \ \___ \ 
/__/\_ \/____  >____  >____/\___  >____  >____  >
      \/     \/     \/          \/     \/     \/ 
               The automatic XSS payload generator
                     By mandatory (Matthew Bryant)
    https://github.com/mandatoryprogrammer/xssless


Example: C:\Users\Gokul G\Desktop\xssless-master\xssless.py [ OPTION(S) ] [ BURP FILE ]

-h               Shows this help menu
-p=PARSEFILE     Parse list - input file containing a list of CSRF token names to be 
                 automatically parsed and set.
-f=FILELIST      File list - input list of POST name/filenames to use in payload. 
                 ex: 'upload_filename,~/Desktop/shell.bin'
-m=METALIST      Self propagation list - input list of POST names for POSTing the 
                 XSS payload itself (for JavaScript worms)
-o=OUTFILE       Write payload to file rather than stdout
-s               Don't display the xssless logo
-n               Turn off payload optimization



No comments

Powered by Blogger.