The Cross-Site Scripting Framework (XSSF)
is a security tool designed to turn the XSS vulnerability exploitation
task into a much easier work. The XSSF project aims to demonstrate the
real dangers of XSS vulnerabilities, vulgarizing their exploitation.
This project is created solely for education, penetration testing and
lawful research purposes.
XSSF allows creating a communication channel with
the targeted browser (from a XSS vulnerability) in order to perform
further attacks. Users are free to select existing modules (a module =
an attack) in order to target specific browsers.
XSSF
provides a powerful documented API, which facilitates development of
modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easily from XSS vulnerability.
In
addition, an interesting though exploiting an XSS inside a victim’s
browser could be to browse website on attacker’s browser, using the
connected victim’s session. In most of cases, simply stealing the victim
cookie will be sufficient to realize this action. But in minority of
cases (intranets, network tools portals, etc.), cookie won’t be useful
for an external attacker. That’s why XSSF Tunnel was created to help the attacker to help the attacker browsing on affected domain using the victim’s session.
Open your kali Linux terminal and type cd /opt/metasploit/apps/pro/msf3
In msf3 install xssf using following command
Svn export http://xssf.googlecode.com/svn/trunk ./ –force now xssf is successfully install in your metasploit
Load XSSF plugin using the command ‘load xssf’
Type help xssf to find all xssf commands
Now use xssf_urls command to get all list of all available URL
Send the link of the server to the victim via chat or email or any social engineering technique.
We can see information related to any of the victims using the command xssf_information
Fuente:http://www.hackingarticles.in/xssf-cross-site-scripting-framework-in-metasploit/
No hay comentarios:
Publicar un comentario