Webmail XSS Tester - Excess2

Submitted by alla on Wed, 01/12/2011 - 21:57

Here is a script to automate testing of webmail systems for cross-site scripting. It uses XSS Cheat Sheet to generate the injection strings. Compared to the previous version this version downloads XSS cheat sheet on the fly (instead of having it hard-coded) and supports SMTP authentication.

       excess2 - A script for testing webmail systems for cross-site scripting

       This script sends a number of HTML-formatted email messages to a
       specified email address. In order to test a webmail system you need to
       have an email account on the system, run this script to send messages
       to that account, and then view the received messages through the
       webmail interface. If you get a popup box saying "XSS!" it means that
       your webmail system failed to block the attack.

       Try viewing the messages in several different browsers, including
       Internet Explorer and Mozilla Firefox. Some attacks work in one
       browser, but don't work in another.

       The script downloads RSnake's XSS Cheat sheet from
       http://ha.ckers.org/xssAttacks.xml. This way we always have the latest
       and greatest XSS attacks. Thanks, RSnake.

       -t you@webmail.example.com        The destination email address
       -f return-address@example.com      From email address. Replies and
       rejects will go to that address.
       -s mymailserver.example.com       SMTP server to use for sending
       -u    SMTP server username (if it requires authentication)
       -p    SMTP server password (if it requires authentication)

Download here


+32 (0) 2 215 53 58

Gremwell BVBA
Sint-Katherinastraat 24
1742 Ternat
VAT: BE 0821.897.133.