Advanced exploits using XSS SHELL 2023
In this article we will learn about Advanced exploits using XSS SHELL.
Introduction to Advanced exploits using XSS SHELL:
Before we understand what XSS Shell is, let’s recall some basics of XSS (Cross Site Scripting).
XSS is one of the most common vulnerabilities that exist in many web applications today. XSS is a technique through which an attacker attempts to compromise a web application by running a malicious script on the web. An attacker does this by violating the “Same Origin” policy of the web application. The “Same-Origin” policy states that a script that originates from a foreign site or a script that does not belong to the same domain (ie document.domain) should not be processed by the application.
Once an attacker is able to detect XSS in a web application, they can use this vulnerability to perform various kinds of attacks. A few of them are:
- Credential theft
- Session token theft
- Website Defacement
- Causes DOS
- Installation of Keyloggers and many more….
Cross-Site-Scripting exists in three different forms:
- Reflected XSS
- Saved XSS
- DOM-based XSS
Reflected XSS
This kind of vulnerability exists in an application that uses dynamic pages to display content to users. Normally, these applications take the message into a parameter and render it back to the users.
For example:
Consider the URL: http://www.samplesite.com/error.html?value=learn+hacking
The app’s response will show a “learn to hack” message. This means that the application extracts the message from the URL, processes it and displays it to the user. So the URL processes the data entered by the user and inserts it into the server’s response. If not properly sanitized, the application is vulnerable to Reflected XSS.
URLs can be created as:
http://www.samplesite.com/error.html?value=
When you click on the above URL, a warning window will appear.
Saved XSS
This type of vulnerability exists in applications that take user input and store it in the application and then display it to other users.
For example:
Consider a Facebook application that allows you to comment on any pictures or status updates and then it will be visible to all other users. If the application does not properly sanitize input, an attacker can write a script in the comments area so that users who visit or view a particular page or post are affected.
So Stored XSS consists of two things to do. Initially, attackers inject a malicious script into the application. Second, the user visits the created page and the script is executed on the backend without the user’s knowledge.
DOM-based XSS
DOM stands for Document Object Model. It is quite different from the other two attacks described above. In DOM-based XSS, when users click on a crafted URL, the server’s response does not consist of the attacker’s script. Instead, the browser executes a malicious script while processing the response.
This is because the browser document object model has the ability to determine the URL used to load the current page. A script issued by an application can extract data from a URL and process it. It then dynamically loads the page content depending on the script run via the URL.
What is XSS Shell?
The XSS shell is a powerful tool developed in ASP .NET that runs as a backdoor between the attacker and the victim. With XSS, the attacker only has one shot to perform any attack on the victim. Once the victim moves from the malicious site, the attacker’s interaction or communication with the victim ends, while the use of XSS Shell helps the attacker to open an interactive channel with the victim and communicate with it by sending its commands. Here, even if the victim navigates away from the vulnerable/malicious page, the attacker can continue communicating because the XSS Shell regenerates the page.
Related article:Ethical Hacking Interview Questions 2023
The interactive shell or communication channel created by the attacker with the victim is called “XSS Tunnel”. XSS Tunnel is used to tunnel HTTP traffic between two XSS exposed machines. Technically, it is developed using AJAX, which can send requests and receive responses and has the ability to talk between domains.
Attack process:
- Set up an XSS Shell Server.
- Configure the XSS tunnel to use the XSS Shell Server.
- Inserting a malicious script into a vulnerable website.
- Run the XSS tunnel and wait for the victim.
- Configure your browser or tool to use XSS Tunnel.
- When the victim visits the vulnerable page, start using the XSS Tunnel.
How XSS Shell works

Figure A
As shown in the figure, the attacker first establishes a connection with the XSS Shell and injects a malicious script into the web application using Stored or Reflected XSS. Once the victim clicks on or visits the vulnerable application with the malicious script, a request is sent to the XSS Shell Server. Based on the request, the server creates a channel to interact with the victim.

Figure B
After establishing a channel between the victim and the XSS Shell server, the attacker can control the communication through the XSS Shell interface. An XSS Shell is nothing but a GUI that provides a certain set of commands that an attacker executes to perform certain actions.
When the command is executed, the necessary function or script will be called at the XSS Shell Server level, which is sent to the victim. The script will be processed and run in the victim’s browser and send the corresponding results to the XSS Shell Server. The XSS Shell Server stores the results in the “MS-Access” database it normally uses to store data. An attacker can extract the results from the database and view it whenever he needs to.
Some of the commands that the XSS interface provides are:
- Get a cookie
- Get the current page
- Get the clipboard
- Get Key-logger data
- Browser failure
Another advantage of using XSS Shell is: it is Open Source and quite easy to implement new commands.
Requirements:
- An IIS server where you can host ASP.NET files.
- Microsoft Access (.mdb)
- A website that is vulnerable to XSS.
- Vulnerable website to carry out an attack.
Environment settings:
- Download XSSShell from:
- Configure IIS to host the website.
- Installation
- Configure the XSS Shell.
IIS configuration:
To configure IIS on Windows 7 or later, follow these steps:
- Click on “Start Menu” and go to “Control Panels”.
- Click “Programs” and then click “Turn Windows features on or off.”
- A new “Windows Features” dialog will appear. Expand “Internet Information Services” and select the default features that need to be installed with IIS.
- If necessary, you can expand other categories and install any additional features.
- If you want to use IIS for evaluation purposes, we recommend that you install additional features.
Now IIS is configured on the computer and can be accessed using http://localhost/

Figure C
Figure C shows the IIS 7 default page.
Installation
- The XSS Shell uses ASP .NET and an MS-Access database. So make sure you have both installed on your computer.
- Configuring the XSS Shell admin interface:
After downloading the XSSShell.zip file, unzip the file and you will see two folders. “XSSshell” and “XSSTunnel”
XSSshell is an admin interface and you need to configure it on your computer. Copy the “XSSshell” folder to your web server.

Figure D
Figure D shows the structure of the “XSSshell” folder.
- In the XSSShell folder, you can see a subfolder named “db” as shown in the image above. Copy it to a safe place because XSSshell stores complete data in this database, be it the victim’s session cookies or any other compromised data that belongs to the victim.
- After moving the “db” folder to a safe place, configure the path in the “db.asp” file in the “XSSshell/admin” folder so that the interface understands where the db is and can work with it.

Figure E
Figure E shows the path where the database for XSSshell is stored or kept.
Edit the path to the location such that it should point to the place where “db” folder is present in your machine.

Figure (F)
Figure F shows the default password to access the “shell.mdb” file. You can edit whatever you want.
You can now access the admin interface using the localhost URL or the domain name you entered. Example: http://localhost/xssshell (or) http://yourhostname.com/xssshell
It uses port 80 by default, but if you change the port number when configuring the domain, you must access the site by entering the port number.
XSS Shell configuration:
- Open “xssshell.asp” from “XSSshell” folder.
- Configure the server path. i.e. to the location where the XSSshell folder is located.

Figure G
Figure G shows the configuration of server path in xssshell.asp file. Edit he parameter “SERVER” to the place to the location of “XSSshell” folder in your machine.
- Now access your admin interface from the browser.

Figure (H)
Figure H shows the XSSshell admin interface.
You can see three parts in the image above.
Commands
As mentioned earlier, XSSshell has predefined commands that make life easier for the attacker to perform any attack on the victim. The commands section contains all the commands supported by the shell. Since it is open source, you can modify it and add your own features to it.
victims
The victims section displays a list of victims.
Protocols
Logs display a list of actions performed on victims.
XSS tunnel
XSSTunnel is like a proxy tool that runs on the attacker and captures the traffic through the XSS channel on the XSSshell server.

Figure I
Figure I shows the XSS tunnel configuration settings.
As mentioned earlier, XSS Tunnel acts as a proxy to intercept traffic through an XSS channel opened through an XSSshell server. To do this, XSS Tunnel should be able to understand where the XSSshell server is running.
We can configure the XSSshell information (i.e. where it runs) in XSS Tunnel from the “Options” tab.
Enter the server address and password. Then, to make sure it is working properly, click on “Test Server”. If the configuration is correct, you will receive a success message.

Figure J
Figure J shows the connection established successfully.
Once done with configuration, click on “Start XSS Tunnel” on the top of the window. Then you can see all the actions performed by the victim from XSS Tunnel’s “Dashboard”.

Figure J shows the connection established successfully.
Once done with configuration, click on “Start XSS Tunnel” on the top of the window. Then you can see all the actions performed by the victim from XSS Tunnel’s “Dashboard”.

Figure (K)
Figure K shows all the pages visited by the victim and the actions taken.
Conclusion
XSSshell is an interface or tool that opens a gateway for the attacker to perform various attacks on the victim without losing the connection once established.