Cross site scripting (XSS) is a rising problem for web application, an attacker may be exploit XSS bug and take some advantages that will cause a great harm to the website, XSS is not a small deal that an administrator does not consider it, XSS is big issue because it led down to hijack the session, so for eCommerce web services XSS bug is the key point to failure.
There are many tools that has been discussed before for XSS penetration testing, so secure your web site before a hacker exploit it, if you want to find out vulnerability on your web application use XSSF.
The Cross-Site Scripting Framework (XSSF) is a security tool designed to turn the XSS vulnerability exploitation task into a much easier work. The XSSF project aims to demonstrate the real dangers of XSS vulnerabilities, vulgarizing their exploitation. This project is created solely for education, penetration testing and lawful research purposes.
XSSF allows creating a communication channel with the targeted browser (from a XSS vulnerability) in order to perform further attacks. Users are free to select existing modules (a module = an attack) in order to target specific browsers.
XSSF provides a powerfull documented API, which facilitates development of modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easilly from an XSS vulnerability.
The great feature is metasploit integration that will allows you to run an exploit against a vulnerability, that will surely give an attacker the root access on the web server that is really harmful.
Load XSSF Into Metasploit
- Start Metasploit Framework (Console for example)
- Connect to a database if that’s not automatically done
- Load XSSF plugin using the command ‘load xssf’. XSSF server port can be modified using the option ‘ServerPort=80’ after loading command. XSSF server URI can be changed using the option ‘ServerUri=/’.