Scanner	Version	Build		Vendor
XSSer	1.5	1		psy

Tested Against WAVSEP Version:

1.0.3

Product Details:

Accurate Version	License / Technology	Last Update	Source Code Activity
1.5 (Beta) Build 1	GPL3 Python 2.5.x	24-02-2011

General Features:

GUI	Config	Usage	Stability	Performance	Report	ScanLog	Pause	Session
	Complex	Simple	Unstable	Fast

Authentication, Control and Connection Features:

Custom Cookie

Custom Header

B A S I C

D I G E S T

N T L M

N T L M v 2

K E R B E R O S

F O R M

PROXY

GZIP

DEFLATE

SSL

CERT

Logout Detection

Exclude Logout

Exclude URL

Exclude Param

Coverage Features:

C O U N T

Manual Crawl

URL File

Html Crawler

Ajax Crawler

Flash Crawler

Applet Crawler

Silverlight Crawler

WSDL Crawler

REST Crawler

Field Autofill

Smart Autofill

Anti CSRF Support

Viewstate Support

CAPTCHA Bypass

WAF Bypass

4

Input Vector Support:

C O U N T

G E T

P O S T

C O O K I E

H E A D E R

S E C R E T

P N a m e

X M L

X m l A T T

X m l T A G

J S O N

. N e t E N C

A M F

J a v a S E R

. N e t S E R

W C F

W C F - B i n

W e b S o c k

D W R

C u s t o m

4

Audit Features:

C O U N T

S Q L i

B S Q L i

S S J S i

R X S S

P X S S

D X S S

J S O N h

L F I

R F I

C M D E x e c

U P L O A D

R E D I R E C T

C R L F i

L D A P i

X P A P H i

M X i

S S I

F O R M A T i

C O D E i

X M L i

E L i

B U F F E R o

I N T E G E R o

C O D E D i s c

B A C K U P f

P A D D I N G

A U T H b

P R I V e

X X E

S E S S I O N

F I X A T I O N

C S R F

A D o S

2

Complimentary Audit Features:

WebServer Hardening	CGI Scanning	Dir & File Enumeration	Passive Analysis	Additional Features
				Exploitation features, Rough manual crawling support due to the URL file parsing feature (No FORM submission), GET/POST coverage (rough POST coverage for single URL scans).

The Reflected XSS Detection Accuracy of the Scanner:

Detection Accuracy			Chart
34.85% Detection Rate 57.14% False Positives	(23/66) (4/7)

Additional Audit Features:

Plenty of different XSS flavors.

Additional Features:

Exploitation features, Rough manual crawling support due to the URL file parsing feature (No FORM submission), GET/POST coverage (rough POST coverage for single URL scans).

Overview:

The tool implements some useful and even rare features (DOM XSS, etc), but is very difficult to execute it in an effective manner on a large scale application, and naturally, as an alpha product, its prone to various bugs.

Copyright © 2012 by Shay Chen (sectooladdict). All rights reserved.
Click here to learn how this information may be published or reused.