mandatoryprogrammer / xsshunter_client Goto Github PK

Correlated injection proxy tool for XSS Hunter

Python 100.00%

xsshunter_client's Introduction

XSS Hunter Client

What is the this tool for?

This tool can be used to generate correlated XSS payloads, these payloads are tagged with a unique ID which can be used to track which HTTP request caused which XSS payload to fire. By using this tool all of your injection attempts are tracked and the reports you generate will have the responsible injection attempt included in the final output. This is useful since XSS payloads can often traverse multiple services (and even protocols) before firing, so it's not always clear what injection caused a certain XSS payload to fire.

Setup

Create an XSS Hunter account at https://xsshunter.com/
Create a new virtual environment by running virtualenv env
Source the newly created enviroment by running source env/bin/activate
Install the required libraries by running pip install -r requirements.txt
Run the config generation tool ./generate_config.py and follow the steps mentioned.
Now run mitmproxy with this client as an inline script: mitmproxy -s mitm_xsshunter.py -p 1234
Proxy your browser through this new tool, keep in mind that you may have to install the mitmproxy certificate authority if you have not done so already.

Using the XSS Hunter Client

Using the client is simple, during the config generation you will set a list of dummy words, these are special strings which will be replaced upon being seen by the proxy tool. For example, one rule could have the dummy word be https://example.com with the javascript: URI payload selected. Once the proxy sees https://example.com in the request it will automatically replace it with the javascript: URI payload. It is very important that you choose a unique dummy word that is unlikely to appear regularly in the request, else you risk scattering your payloads where you don't want them.

xsshunter_client's People

Contributors

Stargazers

Watchers

xsshunter_client's Issues

Fixed with a Kludge - Far from Ideal!

Hello,

I thought this a very cool tool, so I manged to get this working 'as is' with a kludge.

Long story, short - openssl has changed quite a bit in the last few years and the any recent versions break the old version of cryptography specified. I found a way of adding and linking an old (and insecure) version of openssl to the python env and the required libraries without having to disturb the up-to-date system version:

# Modified from the code at: https://github.com/pyca/cryptography/blob/master/docs/installation.rst#static-wheels
# Tested with Python2 (2.7.15+) and pip2 (18.0) current at  05 Sept 2018 

set -e

OPENSSL_VERSION="1.0.1m"
CWD=$(pwd)

pip2 install -U setuptools
pip2 install -U wheel pip
curl -O https://www.openssl.org/source/old/1.0.1/openssl-${OPENSSL_VERSION}.tar.gz
tar xvf openssl-${OPENSSL_VERSION}.tar.gz
cd openssl-${OPENSSL_VERSION}
./config no-shared -fPIC --prefix=${CWD}/openssl
make && make install
cd ..
CFLAGS="-I${CWD}/openssl/include" LDFLAGS="-L${CWD}/openssl/lib" pip2 wheel --no-binary :all: 
  cryptography==1.1.2 argh==0.26.1 backports-abc==0.4 backports.ssl-match-hostname==3.5.0.1 
  blinker==1.4 certifi==2016.2.28 cffi==1.5.2 click==6.2 ConfigArgParse==0.10.0 construct==2.5.2 
  enum34==1.1.2 futures==3.0.5 hpack==2.0.1 html2text==2015.11.4 idna==2.0 ipaddress==1.0.16 
  lxml==3.4.4 mitmproxy==0.15 ndg-httpsclient==0.4.0 netlib==0.15.1 passlib==1.6.5 pathtools==0.1.2 
  Pillow==3.0.0 pyasn1==0.1.9 pycparser==2.14 pyOpenSSL==0.15.1 pyparsing==2.0.7 
  pyperclip==1.5.26 PyYAML==3.11 requests==2.9.1 requests-futures==0.9.7 singledispatch==3.4.0.3 
  six==1.10.0 tornado==4.3 urwid==1.3.1 watchdog==0.8.3 wheel==0.24.0

This compiles and links everything together and creates a bunch of .whl (wheel) files in the installation directory as a side effect - run this instead of step 4 in the setup instructions.

As it is not really a proper fix, I haven't forked it into the code. Just left it here on an 'as is' basis. Note that you must only use this fix in a Python env so as not to replace your system SSL library with an old insecure one!

When I have some time, I might try getting this running with the most recent consistent versions of all the libraries in requirements.txt such that the current system installed versions of openssl works (this will likely need a few changes to the code). If I have any success with that, I will look at forking into the code.

Cheers.

About xss responds too much

Hello, I am using your platform. When xss responds too much, is there a way to delete all the methods?

ImportError: No module named enum

I successfully install xsshunter_client on windows, but I got an error, ImportError: No module named enum, when I mitmdump -s mitm_xsshunter.py -p 1234

pip install -r requirements.txt failing with multiple errors.

Trying to install xsshunter_client on Lubuntu 19.10, but the command 'pip install -r requirements.txt' is failing with multiple errors. Sorry, I really don't know much about this particular stuph. I've cited errors below but I don't know what is really relevant, that's why I've posted the whole thing at https://pastebin.com/c33hk0qQ[](https://pastebin.com/c33hk0qQ), but here is the error at the end of it:

ERROR: Command errored out with exit status 1: /home/t0p/dev/env/bin/python2 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-2yueHP/cffi/setup.py'"'"'; file='"'"'/tmp/pip-install-2yueHP/cffi/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-YkFoRV/install-record.txt --single-version-externally-managed --compile --install-headers /home/t0p/dev/env/include/site/python2.7/cffi Check the logs for full command output.

It failed to build cffi cryptography lxml and Pillow.

The cffi error is this I think:

creating build/temp.linux-x86_64-2.7/c                                     
  x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fdebug-prefix-map=/build/python2.7-8kFkPd/python2.7-2.7.17=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DUSE__THREAD -I/usr/include/ffi -I/usr/include/libffi -I/usr/include/python2.7 -c c/_cffi_backend.c -o build/temp.linux-x86_64-2.7/c/_cffi_backend.o                      
  c/_cffi_backend.c:2:10: fatal error: Python.h: No such file or directory   
      2 | #include <Python.h>                                                
        |          ^~~~~~~~~~                                                
  compilation terminated.                                                    
  error: command 'x86_64-linux-gnu-gcc' failed with exit status 1            
  ----------------------------------------                                   
  ERROR: Failed building wheel for cffi

cryptography error:

 running build_ext                                                          
  generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c'            
  creating build/temp.linux-x86_64-2.7                                       
  generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'      
  generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'            
  building '_openssl' extension                                              
  creating build/temp.linux-x86_64-2.7/build                                 
  creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7           
  x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fdebug-prefix-map=/build/python2.7-8kFkPd/python2.7-2.7.17=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o                                   
  build/temp.linux-x86_64-2.7/_openssl.c:22:12: fatal error: pyconfig.h: No such file or directory                                                        
     22 | #  include <pyconfig.h>                                            
        |            ^~~~~~~~~~~~                                            
  compilation terminated.                                                    
  error: command 'x86_64-linux-gnu-gcc' failed with exit status 1            
  ----------------------------------------                                   
  ERROR: Failed building wheel for cryptography

Pillow error:

copying PIL/OleFileIO-README.md -> build/lib.linux-x86_64-2.7/PIL          
  running build_ext                                                          
  Traceback (most recent call last):                                         
    File "<string>", line 1, in <module>                                     
    File "/tmp/pip-install-2yueHP/Pillow/setup.py", line 767, in <module>    
      zip_safe=not debug_build(),                                            
    File "/home/t0p/dev/env/local/lib/python2.7/site-packages/setuptools/__init__.py", line 145, in setup                                                 
      return distutils.core.setup(**attrs)                                   
    File "/usr/lib/python2.7/distutils/core.py", line 151, in setup          
      dist.run_commands()                                                    
    File "/usr/lib/python2.7/distutils/dist.py", line 953, in run_commands   
      self.run_command(cmd)                                                  
    File "/usr/lib/python2.7/distutils/dist.py", line 972, in run_command    
      cmd_obj.run()                                                          
    File "/home/t0p/dev/env/local/lib/python2.7/site-packages/wheel/bdist_wheel.py", line 192, in run                                                     
      self.run_command('build')                                              
    File "/usr/lib/python2.7/distutils/cmd.py", line 326, in run_command     
      self.distribution.run_command(command)                                 
    File "/usr/lib/python2.7/distutils/dist.py", line 972, in run_command    
      cmd_obj.run()                                                          
    File "/usr/lib/python2.7/distutils/command/build.py", line 128, in run   
      self.run_command(cmd_name)                                             
    File "/usr/lib/python2.7/distutils/cmd.py", line 326, in run_command     
      self.distribution.run_command(command)                                 
    File "/usr/lib/python2.7/distutils/dist.py", line 972, in run_command    
      cmd_obj.run()                                                          
    File "/usr/lib/python2.7/distutils/command/build_ext.py", line 340, in run                                                                            
      self.build_extensions()                                                
    File "/tmp/pip-install-2yueHP/Pillow/setup.py", line 515, in build_extensions                                                                         
      % (f, f))                                                              
  ValueError: --enable-jpeg requested but jpeg not found, aborting.          
  ----------------------------------------                                   
  ERROR: Failed building wheel for Pillow

Any idea what I can do to build xsshunter_client? And are there any other clients out there, or is it this or bust?

Cheers.

mandatoryprogrammer / xsshunter_client Goto Github PK

xsshunter_client's Introduction

XSS Hunter Client

What is the this tool for?

Setup

Using the XSS Hunter Client

xsshunter_client's People

Contributors

Stargazers

Watchers

Forkers

xsshunter_client's Issues

Fixed with a Kludge - Far from Ideal!

About xss responds too much

ImportError: No module named enum

pip install -r requirements.txt failing with multiple errors.

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent