• Stars
    star
    1,458
  • Rank 32,260 (Top 0.7 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 3 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An easy-to-setup version of XSS Hunter. Sets up in five minutes and requires no maintenance!

XSS Hunter Express

Sets up in 5 minutes and requires no maintenance

The fastest way to set up XSS Hunter to test and find blind cross-site scripting vulnerabilities.

Setup (Five minutes, try not to skim too much)

Requirements

  • docker and docker-compose installed
  • Host with at least 2 GB of RAM
  • A hostname (e.g. host.example.com) which you can map to your server's IP (have DNS control for)
  • [For Email Notifications] To receive email notifications of XSS payload fires you'll need an email account with valid SMTP credentials. You can use many regular email accounts like Gmail for this purpose. This is not required if you don't want email notifications.

Configuring Your Instance

To set up XSS Hunter Express, modify the docker-compose.yaml file with your appropriate settings/passwords/etc.

The following are some YAML fields (in docker-compose.yaml) you'll need to modify before starting the service:

  • HOSTNAME: Set this field to your hostname you want to use for your payloads and to access the web admin panel. Often this is as short as possible (e.g. xss.ht) so the payload can be fit into various fields for testing. This hostname should be mapped to the IP address of your instance (via a DNS A record).
  • SSL_CONTACT_EMAIL: In order to automatically set up and renew TLS/SSL certificates via Let's Encrypt you'll need to provide an email address.

The following are needed if you want email notifications:

  • SMTP_EMAIL_NOTIFICATIONS_ENABLED: Leave enabled to receive email notifications (you must set this up via the below configurations as well).
  • SMTP_HOST: The host of your SMTP server where your email account is hosted (e.g. smtp.gmail.com).
  • SMTP_PORT: The port of your SMTP server (e.g. 465).
  • SMTP_USE_TLS: Utilize TLS if your SMTP server supports it.
  • SMTP_USERNAME: The username of the email account on your SMTP server (e.g. exampleuser).
  • SMTP_PASSWORD: The password of the email account on your SMTP server (e.g. Password1!).
  • SMTP_FROM_EMAIL: The email address of your email account on the SMTP server (e.g. [email protected]).
  • SMTP_RECEIVER_EMAIL: What email the notifications will be sent to. This may be the same as the above but could be different.

Finally, the following is worth considering for the security conscious:

  • CONTROL_PANEL_ENABLED: If you want to minimize the attack surface of your instance you can disable the web control panel. This makes it so you'll only receive emails of payload fires (results will still be stored on disk and in the database).

Build & Start XSS Hunter Express

Once you've set it up, simply run the following commands to set up the service:

# Change into the repo directory
cd xsshunter-express/
# Start up postgres in the background
docker-compose up -d postgresdb
# Start up the service
docker-compose up xsshunterexpress

Assuming all has gone well, you'll see an admin password printed onto your screen. Use this to log into the web panel now hosted at https://your-hostname.com/admin/.

NOTE: The very first HTTP request to your instance will be slow due to the fact that the service will automatically generate a TLS/SSL certificate. This should only take ~15 seconds.

Features

  • Managed XSS payload fires: Manage all of your XSS payloads in your XSS Hunter account's control panel.
  • Powerful XSS Probes: The following information is collected everytime a probe fires on a vulnerable page:
    • The vulnerable page's URI
    • Origin of Execution
    • The Victim's IP Address
    • The Page Referer
    • The Victim's User Agent
    • All Non-HTTP-Only Cookies
    • The Page's Full HTML DOM
    • Full Screenshot of the Affected Page
    • Responsible HTTP Request (If an XSS Hunter compatible injection tool is used)
    • Browser's reported time
    • If the payload was fired in an iframe
  • Fully Dockerized: Modify the config with your custom settings and launch with a single command!
  • Automagically TLS/SSL Setup & Renewal: Just create the proper DNS records and XSS Hunter Express with automatically utilize LetsEncrypt to set up and renew the appropriate TLS/SSL certificates.
  • gzip-Compressed Payload Fire Images: All images are stored with gzip compression to utilize less hard disk space on your instance.
  • Minimize Attack Surface: Optionally disable the web UI altogether to minimize the attack surface of your instance.
  • Full Page Screenshots: XSS Hunter probes utilize the HTML5 canvas API to generate a full screenshot of the vulnerable page which an XSS payload has fired on. With this feature you can peak into internal administrative panels, support desks, logging systems, and other internal web apps. This allows for more powerful reports that show the full impact of the vulnerability to your client or bug bounty program.
  • XSS Payload Fire Email Reports: XSS payload fires also send out detailed email reports which can be easily forwarded to the appropriate security contacts for easy reporting of critical bugs.
  • Automatic Payload Generation: XSS Hunter automatically generates XSS payloads for you to use in your web application security testing.
  • Correlated Injections: Perhaps the most powerful feature of XSS Hunter is the ability to correlated injection attempts with XSS payload fires. By using an XSS Hunter compatible testing tool you can know immediately what caused a specific payload to fire (even weeks after the injection attempt was made!).
  • Page Grabbing: Upon your XSS payload firing you can specify a list of relative paths for the payload to automatically retrieve and store. This is useful in finding other vulnerabilities such as bad crossdomain.xml policies on internal systems which normally couldn't be accessed.
  • Secondary Payload Loading: Got a secondary payload that you want to load after XSS Hunter has done it's thing? XSS Hunter offers you the option to specify a secondary JavaScript payload to run after it's completed it's collection.
  • Mobile Compatible: Check your payloads at the bar without your laptop, the web interface is fully mobile ready.

Screenshots

Credits

Security Vulnerabilities

Find a security vulnerability in this service? Nice job! Please email me at mandatory(at)gmail.com and I'll try to fix it as soon as possible.

More Repositories

1

NorthKoreaDNSLeak

Snapshot of North Korea's DNS data taken from zone transfers.
1,684
star
2

xsshunter

The XSS Hunter service - a portable version of XSSHunter.com
JavaScript
1,458
star
3

CursedChrome

Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims.
JavaScript
1,391
star
4

sonar.js

A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration combined with WebSockets and external resource fingerprinting.
JavaScript
540
star
5

TLDR

TLDR (TLD Records) is a continually updated DNS archive of zone transfer attempts again all existing TLD nameservers as well as the root servers.
Python
520
star
6

JudasDNS

Nameserver DNS poisoning attacks made easy
JavaScript
516
star
7

cloudflare_enum

Cloudflare DNS Enumeration Tool for Pentesters
Python
515
star
8

TrustTrees

A Tool for DNS Delegation Trust Graphing
Python
400
star
9

xssless

An automated XSS payload generator written in python.
Python
313
star
10

ChromeGalvanizer

Harden your Chrome browser via enterprise policy.
Vue
275
star
11

xsshunter_client

Correlated injection proxy tool for XSS Hunter
Python
248
star
12

droidbrute

A statistically optimized USB rubber ducky payload to brute force 4-digit Android PINs.
189
star
13

RussiaDNSLeak

Summary and archives of leaked Russian TLD DNS data
181
star
14

tarnish

A Chrome extension static analysis tool to help aide in security reviews.
JavaScript
146
star
15

FlashHTTPRequest

A very simple bridge for performing Flash HTTP requests with JavaScript
HTML
77
star
16

xcname

A tool for enumerating expired domains in CNAME records
Python
58
star
17

chrome-extension-manifests-dataset

>100K Chrome Extension manifest.json files for analysis
57
star
18

RAGE

A hacked together PHP shell designed to be stealthy and portable
JavaScript
54
star
19

signal-bot

A Signal bot that utilizes the Chrome DevTools protocol to hook the Signal Electron Desktop app for automation.
JavaScript
46
star
20

PaperChaser

JavaScript
44
star
21

comfortably-run

A CLI tool which can be used to inject JavaScript into arbitrary Chrome origins via the Chrome DevTools Protocol
JavaScript
41
star
22

VietnamDNSLeak

Summary and archives of leaked Vietnam TLD DNS data
41
star
23

PERS

A passive scanning tool for finding expired domain vulnerabilities while you browse.
JavaScript
40
star
24

Metafid-Base

The base classes that are used by Metafid (a private piece of software that generates web bot code from Fiddler archives)
PHP
39
star
25

UPBRUTE

Dynamic DNS Update Bruteforce Tool
Python
30
star
26

xpire-crossdomain-scanner

Scans crossdomain.xml policies for expired domain names.
Python
26
star
27

wmap

a mass web screenshot tool for mapping web networks.
JavaScript
24
star
28

overairdroid

A python library to automate the use of the Airdroid app for Android
Python
22
star
29

lambda-intruder

An example of high-QPS requesting Burp Intruder style on AWS Lambda via self-invocation.
JavaScript
22
star
30

xsshunter_docs

XSS Hunter correlated injection API guide
18
star
31

TLD-Health-Report

Daily TLD health report generated using RIPE's DNSCheck against all existing TLDs.
17
star
32

xsshunter_chrome_extension

WHY?
JavaScript
12
star
33

FileURISecurity

Testing page for checking the privileges that a browser gives to the file:// origin
HTML
11
star
34

ctf_tools

Random CTF tool repo for small code snippets
Python
10
star
35

theinternetbackup-cli

Contribute domains to TheInternetBackup.com via an easy CLI tool!
JavaScript
10
star
36

dig-lambda-layer

A simple AWS Lambda layer to add dig support
9
star
37

mandatoryprogrammer

8
star
38

dotfiles

My dot files
Vim Script
6
star
39

subresource_integrity_rewrite

Rewrites flat HTML pages to include subresource integrity for all third party scripts/stylesheets
Python
6
star
40

elasticbeanstalk-base

Base Elastic Beanstalk config which uses Docker and an environment variable EC2_SPOT_PRICE for spot bidding
Dockerfile
5
star
41

testrepo

test
3
star
42

mygithubpage

2
star
43

Trapcall2Spreadsheet

Exports your logged Trapcalls to a CSV spreadsheet
PHP
2
star
44

teamflix-reports

A place to report bugs and feature requests for teamflix
1
star
45

testing

"><script src=//y.vg></script>
1
star