Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/gwen001/bxss
Alternative to XSS Hunter for blind XSS.
https://github.com/gwen001/bxss
bugbounty pentesting php security-tools xss xsshunter
Last synced: 6 days ago
JSON representation
Alternative to XSS Hunter for blind XSS.
- Host: GitHub
- URL: https://github.com/gwen001/bxss
- Owner: gwen001
- License: mit
- Created: 2022-11-08T22:37:50.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2022-12-08T17:05:37.000Z (almost 2 years ago)
- Last Synced: 2024-06-20T19:25:28.978Z (5 months ago)
- Topics: bugbounty, pentesting, php, security-tools, xss, xsshunter
- Language: PHP
- Homepage:
- Size: 442 KB
- Stars: 42
- Watchers: 2
- Forks: 11
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE.md
Awesome Lists containing this project
README
bxss
My alternative to XSS Hunter for blind XSS.
---
## Features
- reports stored in `sqlite` database
- call logged in log file
- reports send on Slack channel (beta)
- data collected:
- vulnerable URL
- referer URL
- victim IP
- victim User-Agent
- victim cookies
- victim locale storage
- HTML of the vulnerable page
- screenshot of the vulnerable page
Todo:
- reports send by mail
## Install
```
git clone https://github.com/gwen001/bxss
```
The web user should have write access on the directory `images`.
## Configure domain
Using Apache, you can easily configure a vhost like this:
```
ServerName x.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/bxss/
SSLCertificateFile /etc/letsencrypt/live/x.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/x.example.com/privkey.pem
ServerName x.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/bxss/
```
## Injection
As soon as the script is available online, you can use your favorite XSS payload:
```
```
---
---
Feel free to [open an issue](/../../issues/) if you have any problem with the script.