Webmail XSS Tester - Excess2

Here is a script to automate testing of webmail systems for cross-site scripting. It uses XSS Cheat Sheet to generate the injection strings. Compared to the previous version this version downloads XSS cheat sheet on the fly (instead of having it hard-coded) and supports SMTP authentication.

       excess2 - A script for testing webmail systems for cross-site scripting

       This script sends a number of HTML-formatted email messages to a
       specified email address. In order to test a webmail system you need to
       have an email account on the system, run this script to send messages
       to that account, and then view the received messages through the
       webmail interface. If you get a popup box saying "XSS!" it means that
       your webmail system failed to block the attack.

       Try viewing the messages in several different browsers, including
       Internet Explorer and Mozilla Firefox. Some attacks work in one
       browser, but don't work in another.

       The script downloads RSnake's XSS Cheat sheet from
       http://ha.ckers.org/xssAttacks.xml. This way we always have the latest
       and greatest XSS attacks. Thanks, RSnake.

       -t you@webmail.example.com        The destination email address
       -f return-address@example.com      From email address. Replies and
       rejects will go to that address.
       -s mymailserver.example.com       SMTP server to use for sending
       -u    SMTP server username (if it requires authentication)
       -p    SMTP server password (if it requires authentication)

Download here


Excess2 needs Net::SMTP::TLS and XML::Simple modules from CPAN. On Ubuntu it can be installed by 'sudo apt-get install libnet-smtp-tls-perl libxml-simple-perl'.

I found this : You don't have permission to access /sites/default/files/excess2.pl_.txt on this server

Sorry about that. Fixed it. Thanks for letting us know.


I was just checking out excess2.pl and noticed that the xml file by RSnake used for input has URL encoded the key characters within the code tags, surely these should be being URL decoded before the mail is put together or have I missed something there?

Well, I suppose you are right, unless the XML parsing module we are using decodes them automatically.

But, since RSnake's list hasn't been updated for a long while, I don't think it makes whole lot of difference.

You can add htmldecode by adding the following directive:
use HTML::Entities;

and then change:
my $code = %{$xmldoc->{attack}}->{$key}->{code};
print "Now testing: $name $code\n";

my $code = %{$xmldoc->{attack}}->{$key}->{code};
$code = decode_entities($code);
print "Now testing: $name $code\n";

I received this error on a server configured to only support HELO and not EHLO command:
Can't call method "mail" on an undefined value at ./excess2.pl line 121.

To the initial EHLO command the server repsonded with a 501 error after which the SMTP library sends the required HELO command, but terminates the connection itself.

Fixed by changing:

} else {
$smtp = Net::SMTP->new($server);


$smtp = Net::SMTP->new(
Hello => "hostnamehere"

Is this script still being updated? I had to find another location for the xssAttacks.xml file since ha.ckers.org isn't responding (temporary?). Then, using gmail as the smtp server (smtp.gmail.com:465), I get what look like perl errors:

Now testing: Half-Open HTML/JavaScript