{"id":13762750,"url":"https://github.com/t3l3machus/toxssin","last_synced_at":"2025-04-13T15:53:02.176Z","repository":{"id":37267439,"uuid":"489915869","full_name":"t3l3machus/toxssin","owner":"t3l3machus","description":"An XSS exploitation command-line interface and payload generator.","archived":false,"fork":false,"pushed_at":"2025-01-19T16:24:50.000Z","size":698,"stargazers_count":1355,"open_issues_count":2,"forks_count":192,"subscribers_count":18,"default_branch":"main","last_synced_at":"2025-04-06T13:04:03.845Z","etag":null,"topics":["cross-site-scripting","exploitation","hacking","javascript","penetration-testing","pentesting-tools","python","web-penetration-testing","xss","xss-exploitation","xss-vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/t3l3machus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["https://www.buymeacoffee.com/t3l3machus","https://ko-fi.com/t3l3machus","https://github.com/sponsors/t3l3machus"]}},"created_at":"2022-05-08T10:48:13.000Z","updated_at":"2025-04-03T11:09:01.000Z","dependencies_parsed_at":"2023-11-07T09:29:50.123Z","dependency_job_id":"4ca5c2e2-2266-4d50-88f5-d603cdedcd32","html_url":"https://github.com/t3l3machus/toxssin","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t3l3machus%2Ftoxssin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t3l3machus%2Ftoxssin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t3l3machus%2Ftoxssin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t3l3machus%2Ftoxssin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/t3l3machus","download_url":"https://codeload.github.com/t3l3machus/toxssin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248741153,"owners_count":21154249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cross-site-scripting","exploitation","hacking","javascript","penetration-testing","pentesting-tools","python","web-penetration-testing","xss","xss-exploitation","xss-vulnerability"],"created_at":"2024-08-03T14:00:56.675Z","updated_at":"2025-04-13T15:53:02.152Z","avatar_url":"https://github.com/t3l3machus.png","language":"Python","funding_links":["https://www.buymeacoffee.com/t3l3machus","https://ko-fi.com/t3l3machus","https://github.com/sponsors/t3l3machus"],"categories":["Python","Weapons","其他_安全与渗透"],"sub_categories":["Tools","网络服务_其他"],"readme":"# toxssin  \n[![Python 3.x](https://img.shields.io/badge/python-3.x-yellow.svg)](https://www.python.org/) \u003cimg src=\"https://img.shields.io/badge/vanilla-JavaScript-blue\"\u003e [![License](https://img.shields.io/badge/license-MIT-red.svg)](https://github.com/t3l3machus/toxssin/blob/main/LICENSE) \n\u003cimg src=\"https://img.shields.io/badge/Maintained%3F-Yes-CD8335\"\u003e\n## Purpose\n\ntoxssin is an open-source penetration testing tool that automates the process of exploiting Cross-Site Scripting (XSS) vulnerabilities. It consists of an https server that works as an interpreter for the traffic generated by the malicious JavaScript payload that powers this tool (toxin.js).  \n\nThis project started as (and still is) a research-based creative endeavor to explore the exploitability depth that an XSS vulnerability may introduce by using vanilla JavaScript, trusted certificates and cheap tricks.\n\n**Disclaimer**: Using this tool against web apps that you do not have explicit permission to test is illegal. You are responsible for any trouble you may cause by using this tool.  \n\n### Video Presentation  \nhttps://www.youtube.com/watch?v=Z9I4UJUBrrY\n\n## Screenshots\n![usage_example_png](https://raw.github.com/t3l3machus/toxssin/master/Screenshots/toxssin-1.png)\n  \nFind more screenshots [here](Screenshots/).\n\n## Capabilities  \nBy default, toxssin’s JavaScript poison automatically spreads across the elements and information of a webpage, abusing the XMLHttpRequest object to intercept:\n- cookies (if HttpOnly not present),\n- keystrokes (technically, an active keylogger),\n- paste events,\n- input change events,\n- file selections,\n- form submissions,\n- server responses (to form submissions or clicking hyperlinks that target different pages and not internal parts of the same page),\n- table data (static as well as updates on tables after a page has finished loading),\n\nMost importantly, toxssin:\n- attempts to create XSS persistence while the user browses the website by intercepting http requests \u0026 responses and re-writing the document, creating the illusion of navigating when actually the document’s location never changes,\n- supports session management (you can use it to exploit multiple targets at the same time e.g., by running an XSS-based phishing campaign or exploiting stored XSS),\n- supports custom JS script execution against sessions (after a browser gets hooked, you can run custom JS scripts against it),\n- automatically logs every session.\n\n\n## Installation \u0026 Usage\n```\ngit clone https://github.com/t3l3machus/toxssin\ncd ./toxssin\npip3 install -r requirements.txt\n```  \nTo start toxssin.py, you will need to supply ssl certificate and private key files.\n\nIf you don't own a domain with a trusted certificate, you can issue and use self-signed certificates with the following command (although this won't take you far):  \n```\nopenssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365\n```\n\nIt is strongly recommended to run toxssin with a trusted certificate (see [How to get a Valid Certificate](#How-to-get-a-Valid-Certificate) in this document). That said, you can start the toxssin server like this:\n```\npython3 toxssin.py -u https://your.domain.com -c /your/certificate.pem -k /your/privkey.pem\n```\nVisit the project's [wiki](https://github.com/t3l3machus/toxssin/wiki) for additional information.\n\n## XSS Exploitation Obstacles\nIn my experience, there are 4 major obstacles when it comes to Cross-Site Scripting attacks attempting to include external JS scripts:\n1. the \"Mixed Content\" error, which can be resolved by serving the JavaScript payload via https (even with a self-signed certificate).\n2. the \"NET::ERR_CERT_AUTHORITY_INVALID\" error, which indicates that the server's certificate is untrusted / expired and can be bypassed by using a certificate issued by a trusted Authority.\n3. Cross-origin resource sharing (CORS), which is handled appropriately by the toxssin server.\n4. `Content-Security-Policy` header with the `script-src` set to specific domain(s) only will block scripts with cross-domain src from loading. Toxssin relies on the `eval()` function to deliver its poison, so, if the website has a CSP and the `unsafe-eval` source expression is not specified in the `script-src` directive, the attack will most likely fail (i'm working on a second poison delivery method to work around this). \n\n**Note**: The \"Mixed Content\" error can of course occur when the target website is hosted via http and the JavaScript payload via https. This limits the scope of toxssin to https only webistes, as (by default) toxssin is started with ssl only.\n\n\n## How to get a Trusted Certificate\nFirst, you need to own a domain name. \n### Register a domain for free\nYou can search for free options on [freenom](https://my.freenom.com). It's a bit tricky to do it correctly. I suggest you follow this instructional [video](https://www.youtube.com/watch?v=3Uopc4AFjOY\u0026t=324s). Also, if you create an account for the first time, make sure the Country you select matches your IP address or you might get errors. \n\n### Standard (paid) method\nPurchase a domain from a registrar service (e.g.  https://www.namecheap.com/). The most economic way is to search for a random string domain name (e.g. \"fvcm98duf\") and check the less popular TLDs, like .xyz, as they will probably cost around 3$ per year.\n\n### Get a trusted certificate\nAfter you purchase a domain name, you can use certbot (Let's Encrypt) to get a trusted certificate in 5 minutes or less:\n1. Append an A record to your Domain's DNS settings so that it points to your server ip,\n2. Follow certbots [official instructions](https://certbot.eff.org/instructions).  \n\n**Tip**: Don't install and run certbot on your own, you might get unexpected errors. Stick with the instructions.\n\n## Changelog\n`2022-06-19` - Added the **exec** prompt command (you can now execute custom JS scripts against a session).  \n`2022-06-23` - I added two simple, dirty scripts as templates for testing the **exec** prompt command. I also fixed the cmd prompt's backward history access and made some improvements.\n## Future \nThe idea is to make it sharper, more reliable and expand its capabilities. Currently, i'm working on improving file captures.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft3l3machus%2Ftoxssin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ft3l3machus%2Ftoxssin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft3l3machus%2Ftoxssin/lists"}