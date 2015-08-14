XSSless - An Automated XSS Payload Generator
XSSless is an automated XSS payload generator written in python.
Usage:1. Record request(s) with Burp proxy
2. Select request(s) you want to generate, then right click and select "Save items"
3. Use XSSless to generate your payload: ./xssless.py burp_export_file
Pwn!
Features:
- Automated XSS payload generation from imported Burp proxy requests
- Payloads are 100% asynchronous and won't freeze the user's browser
- Payloads are optimized, but should be minimized by a third party tool
- CSRF tokens can be easily extracted and set via the -p option
- POST multipart is supported, along with XSS file uploading via the -f option
- Payloads are dynamic and portable (due to relative URLs)
- Self-propagation is now supported - meaning you can set a POST value to the payload itself!
- Crazy JavaScript worms with no hassle!
Installation:
Download the latest XSSless:
git clone https://github.com/mandatoryprogrammer/xssless
Run the script:
./xssless.py -h
Example:This is an example XSS payload output (uncompressed) that parses CSRF tokens and uploads a binary all via XSS!
Example command line usage:
./xssless.py -s -f=example_file_list.txt -p=example_csrf_token_list.txt file_upload
.__ ___ ___ ______ _____| | ____ ______ ______ \ \/ / / ___// ___/ | _/ __ \ / ___// ___/ > < \___ \ \___ \| |_\ ___/ \___ \ \___ \ /__/\_ \/____ >____ >____/\___ >____ >____ > \/ \/ \/ \/ \/ \/ The automatic XSS payload generator By mandatory (Matthew Bryant) https://github.com/mandatoryprogrammer/xssless Example: C:\Users\Gokul G\Desktop\xssless-master\xssless.py [ OPTION(S) ] [ BURP FILE ] -h Shows this help menu -p=PARSEFILE Parse list - input file containing a list of CSRF token names to be automatically parsed and set. -f=FILELIST File list - input list of POST name/filenames to use in payload. ex: 'upload_filename,~/Desktop/shell.bin' -m=METALIST Self propagation list - input list of POST names for POSTing the XSS payload itself (for JavaScript worms) -o=OUTFILE Write payload to file rather than stdout -s Don't display the xssless logo -n Turn off payload optimization
