Excess - webmail XSS tester
Author:
Alla BezroutchkoDescription:
Excess is a tool for testing webmail systems for persistent cross-site scripting vulnerabilities. It sends a number of HTML-formatted email messages to a specified email address. In order to test a webmail system you need to have an email account on the system, run this script to send messages to that account, and then view the received messages through the webmail interface. If you get a popup box saying "XSS" it means that your webmail system failed to block the attack.Try viewing the messages in several different browsers, including Internet Explorer and Mozilla Firefox. Some attacks work in one browser, but don't work in another.
The script uses the tricks from XSS Cheatsheet by RSnake to bypass filters that a webmail system might be using to remove potentially dangerous scripting.
Usage:
$ excess -t you@webmail.example.com -f return-address@example.com -s mymailserver.example.comOptions:
-t you@webmail.example.com The destination email address-f return-address@example.com From email address. Replies and rejects will go to that address.
-s mymailserver.example.com SMTP server to use for sending messages.