Category: Website Hacking

Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt what XSS vulnerability is, what are the different types of XSS vulnerabilities and its impact on web security. Wouldn’t it be good if there was a tool that can automatically detect and exploit XSS vulnerabilities? In this blogpost, you will be learning about one such tool named XSSer which is an automatic framework to detect, exploit and report XSS vulnerabilities in web applications.

XSSer is a python script and can be installed on all Linux systems with python installed. It is installed by default in Kali Linux and we are going to use the same for this tutorial. See how to install kali Linux in virtual Box. We will be using Mutillidae in Metasploitable 2 as target to test with XSSer as it is easily available to download and this tutorial is easily reproducible. See how to install Metasploitable 2 in VirtualBox.

Mutillidae is a vulnerable web app that intentionally consists of all OWASP 10 vulnerabilities for practicing web application hacking. Also see how to create a virtual hacking lab in virtual Box. In the page shown below belonging to Mutillidae, the blog entry field consists of a XSS vulnerability. These vulnerable pages can be detected using web vulnerability scanners like OWASP ZAP aka Zaproxy, Nikto and Burpsuite etc.

XSSer can also be used to scan for XSS vulnerabilities using the “–all” option” as shown below.

However, here XSSer failed to find any XSS vulnerability. Let’s see how to find any XSS vulnerability in this specific section. For this, I start OWASP ZAP as intercepting proxy to capture web requests. Then, I change the setting in the browser to access the web through this proxy and visit the vulnerable page again on this browser.

I type “This is a new blogpost” in the blogpost entry and save the blogpost. Now, when we view the captured web request in OWASP ZAP as shown below, we can see the request being sent to the target.

Now, we copy the highlighted data above and use it in our XSSer tool. The only difference is to find out the XSS vulnerability, we add text “XSS” in the place of any vector that us vulnerable to XSS.

Note the method the query is using to pass this data. There are two methods by which data is sent and received: GET and POST. XSSer has an option to use both the methods: (-g) for GET method and (-p) for POST method. OWASP ZAP has shown us that this data is being passed using the POST method. So, we will be using the same with XSSer.

Now, you can see that vector “blog_entry” is vulnerable to cross site scripting using URL method. Here, we tried one vector. XSSer provides an option to inject a list of vectors provided by XSSer. To test all these vectors, we can use the “—auto” option. XSSer in total has 1291 injection vectors.

As you can see, XSSer found 1287 of 1291 injection vectors in the web app. XSSer also has the option of using payloads. Here the payload can be anything even the most popular <script> alert (“HC”)</script). Here is how we specify the payload in XSSer.

Here I have given the same above-mentioned script as payload.

Specify your own payload

Using the “-Fp” option, you can even specify your own payload for final injection.

Execute payload remotely

The “-Fr” option is used to execute the payload remotely.

Hello, aspiring ethical Hackers. This blogpost is a complete guide to Nikto vulnerability scanner. Nikto is a free command line web vulnerability scanner that scans web servers and detects over 6700 potentially dangerous files/CGIs, outdated server software, other vulnerabilities and misconfigurations. Nikto can also detect the installed software on the target web server. We will be running Nikto on Kali Linux as it is installed by default in Kali Linux. So let’s start.

Let’s start with a version check (-Version)

The “version” option of Nikto checks for the version of the software, plugins and database versions.

Checking Database (-dbcheck)

It’s always a good thing to check for any errors in the scan database before scanning. The “-dbcheck” option of Nikto checks the scan databases for any errors.

The Host option (–host) (-h)

To scan a target using Nikto, first we need to specify a target. To set the target, we need to use the “host” option. This is shown below.

The target can be IP address of the webserver or URL of the website. This scan took 45 seconds to finish.

The Host option (–ssl)

To scan a website with HTTPS enabled with nikto, we can use the “SSL” option.

The Port option (–port)

By default, Nikto scans the default HTTP and HTTPS ports when specified. However, if the target web server is running on a custom port you can set Nikto to scan a different port by using the “port” option.

Scanning for CGI directories (–Cgidirs)

To scan for the presence of all CGI directories on the target webserver, the “cgidirs” option can be used.

You can specify a specific CGI directory to search or you can use “all” value to scan for all CGI directories on the target.

What output you want Nikto to show? (–Display)

To control the type and amount of output Nikto shows after finishing the scan, we can use the “Display” option. Here are the values that can be set for the Display option.

How much time you want Nikto to spend on a scan? (–maxtime)

Using the “maxtime” option, we can specify the maximum time to spend for scanning a target. This time can be specified in seconds.

As you can see, the scan ended in 2 seconds while earlier the same scan took 45 seconds.

Don’t look for names (-nolookup)

The “nolookup” option specifies Nikto to not query for names when an IP address is specified.

Don’t look for pages that are not there (–no404)

The “no404” option specifies Nikto to disable “file not found” checking. This will reduce the total number of requests made to the target.

Just discover the ports (–findonly)

If you want to just find the HTTP(S) ports of a target without performing any security scan, you can use the “–findonly” option. Specifying this option allows Nikto to connect to HTTPS or HTTP ports and report the server header.

The Timeout option (–timeout)

The “–timeout” option specifies time to wait before timing out a request. The default timeout of Nikto is 10 seconds.

The Pause option (–Pause)

By using “–Pause” option of Nikto, we can specify delay between each test Nikto performs.

What if we have to authenticate? (–id)

With the “-id” option you can use Nikto to perform basic authentication to the target.

The tuning option (–tuning)

With the “-Tuning” option, we can control the test that Nikto will use against a target. It can take the following values.

For example, this is how we test for misconfigured files on the target.

See all Nikto plugins (–list-plugins)

Nikto has lot of plugins that can be used against various targets. To view all these plugins, we can use the “–list-plugins” option.

Use a particular plugin (–Plugins)

To use a particular plugin, we can use the “Plugins” option. For example, let’s use the robots plugin as shown below.

Can Nikto evade detection? (–evasion)

While scanning, Nikto can use various techniques to evade Intrusion Detection System (IDS). The evasion techniques of Nikto are given below.

Saving output (-o)

Nikto can save the output of the scan in a file with the “output(-o)” as shown below.

Formats in which you can save output (-Format)

You can save in different formats you like using the “-Format” option. Valid formats are csv, htm, txt and xml.

That is the complete guide for Nikto vulnerability scanner. If you have any questions bring them in the comments section.