xssf v3.0 (Cross-Site Scripting Framework) released

XSSF allows creating a communication channel with the targeted browser (from a XSS vulnerability) in order to perform further attacks. Users are free to select existing modules (a module = an attack) in order to target specific browsers.
XSSF provides a powerfull documented API, which facilitates development of modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easilly from an XSS vulnerability.
In addition, an interesting though exploiting an XSS inside a victim's browser could be to browse website on attacker's browser, using the connected victim's session. In most of cases, simply stealing the victim cookie will be sufficient to realize this action. But in minority of cases (intranets, network tools portals, etc.), cookie won't be useful for an external attacker. That's why XSSF Tunnel was created to help the attacker to help the attacker browsing on affected domain using the victim's session.
New version is supported by current MSF 4.6.0-dev and Backtrack 5R3 / Ubuntu 12.04 / Kali 1.0 / Windows 7 (at least).
Download & Install
Download can be done directly with the last packaged version in download section. Using the SVN repository is a better way of downloading and updating XSSF as the SVN trunk version is always up-to-date.
Installation is made to be easy and downloaded files only have to be placed within Metasploit installation directory. For people having installation issues, please refer you to the project Wiki pages. Installation on Ubuntu systems is explained here in case Wiki pages are not sufficient.
Download - XSSF-3.0.zip 1.6 MB Download older versions Description: New XSSF version 3.0 XSSF database was becoming hard to maintain within MSF due to fast MSF / Ruby developments and changes. New version replaces former database with simple tables in memory (as model was very simple), and should remove previous issues triggered at each MSF update. As database functionalities are suppressed, two new functions are added 'xssf_save_state [fileName]' and 'xssf_restore_state [fileName]' to save new 'database' state and rebuild it on same computer or different one, keeping already linked victims. Restoring saved state will erase your current victims and logs. This version was only tested on Linux : Ubuntu / Kali platforms for now, please feel free to inform within the issues page any problem or bug with XSSF. Source- https://code.google.com/p/xssf/ |