Posts tagged: Excess2

Jan 12 2011

Excess2 – Webmail XSS Tester

Here is a script to automate testing of webmail systems for cross-site scripting. It uses XSS Cheat Sheet to generate the injection strings. Compared to the previous version this version downloads XSS cheat sheet on the fly (instead of having it hard-coded) and supports SMTP authentication.

excess2 – A script for testing webmail systems for cross-site scripting problems.

This script sends a number of HTML-formatted email messages to a specified email address. In order to test a webmail system you need to have an email account on the system, run this script to send messages to that account, and then view the received messages through the webmail interface. If you get a popup box saying “XSS!” it means that your webmail system failed to block the attack.

Try viewing the messages in several different browsers, including Internet Explorer and Mozilla Firefox. Some attacks work in one browser, but don’t work in another.

The script downloads RSnake’s XSS Cheat sheet from This way we always have the latest and greatest XSS attacks. Thanks, RSnake.

-t The destination email address
-f From email address. Replies and
rejects will go to that address.
-s SMTP server to use for sending
-u SMTP server username (if it requires authentication)
-p SMTP server password (if it requires authentication)

Download: Excess2