ezXSS is an easy way for penetration testers and bug
bounty hunters to test (blind) Cross Site Scripting.
- Easy to use dashboard with statistics, payloads, view/share/search reports
- Payload generator
- Instant alerts via mail, Telegram or custom callback URL
- Custom javascript payloads
- Custom payload links to distinguish insert points
- Block, whitelist and other filters
- Share reports with a direct link, via email or with other ezXSS users
- Secure your login with Two-factor (2FA)
- The following information can be collected on a vulnerable page:
- The URL of the page
- IP Address
- Any page referer (or share referer)
- The User-Agent
- All Non-HTTP-Only Cookies
- All Locale Storage
- All Session Storage
- Full HTML DOM source of the page
- Page origin
- Time of execution
- Payload URL
- Screenshot of the page
- Extract additional defined pages
- its just ez :-)
- Server or hosting with PHP 7.1 or up
- Domain name (consider a short one)
- SSL Certificate if you want to test on https websites (consider Cloudflare or Let's Encrypt for a free SSL)
ezXSS is ez to install with Apache, NGINX or Docker
visit the wiki for installation instructions.
For a demo visit demo.ezxss.com/manage with password demo1234. Please note that some features might be disabled in the demo version.