Home / Unlabelled / XSSless - An Automated XSS Payload Generator

XSSless - An Automated XSS Payload Generator

XSSless Python Tool

XSSless is an automated XSS payload generator written in python.

Usage:

1. Record request(s) with Burp proxy
2. Select request(s) you want to generate, then right click and select "Save items"
3. Use XSSless to generate your payload: ./xssless.py burp_export_file

Pwn!

Features:

  • Automated XSS payload generation from imported Burp proxy requests
  • Payloads are 100% asynchronous and won't freeze the user's browser
  • Payloads are optimized, but should be minimized by a third party tool
  • CSRF tokens can be easily extracted and set via the -p option
  • POST multipart is supported, along with XSS file uploading via the -f option
  • Payloads are dynamic and portable (due to relative URLs)
  • Self-propagation is now supported - meaning you can set a POST value to the payload itself!
  • Crazy JavaScript worms with no hassle!

Installation:

Download the latest XSSless:
git clone https://github.com/mandatoryprogrammer/xssless

Run the script:
./xssless.py -h


Example:

This is an example XSS payload output (uncompressed) that parses CSRF tokens and uploads a binary all via XSS!

 Example command line usage:
./xssless.py -s -f=example_file_list.txt -p=example_csrf_token_list.txt file_upload

                      .__                        
 ___  ___  ______ _____|  |   ____   ______ ______
 \  \/  / /  ___//  ___/  | _/ __ \ /  ___//  ___/
  >    <  \___ \ \___ \|  |_\  ___/ \___ \ \___ \ 
 /__/\_ \/____  >____  >____/\___  >____  >____  >
       \/     \/     \/          \/     \/     \/ 
                The automatic XSS payload generator
                      By mandatory (Matthew Bryant)
     https://github.com/mandatoryprogrammer/xssless
 
 
 Example: C:\Users\Gokul G\Desktop\xssless-master\xssless.py [ OPTION(S) ] [ BURP FILE ]
 
 -h               Shows this help menu
 -p=PARSEFILE     Parse list - input file containing a list of CSRF token names to be 
                  automatically parsed and set.
 -f=FILELIST      File list - input list of POST name/filenames to use in payload. 
                  ex: 'upload_filename,~/Desktop/shell.bin'
 -m=METALIST      Self propagation list - input list of POST names for POSTing the 
                  XSS payload itself (for JavaScript worms)
 -o=OUTFILE       Write payload to file rather than stdout
 -s               Don't display the xssless logo
 -n               Turn off payload optimization


Download xssless


Source: www.effecthacking.com
XSSless - An Automated XSS Payload Generator XSSless - An Automated XSS Payload Generator Reviewed by Anonymous on 7:32 PM Rating: 5

Tags