Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rverton/gxss

Blind XSS service alerting over slack or email
https://github.com/rverton/gxss

blind-xss exfiltration pentesting security xss

Last synced: 3 months ago
JSON representation

Blind XSS service alerting over slack or email

Host: GitHub
URL: https://github.com/rverton/gxss
Owner: rverton
License: mit
Created: 2019-08-02T10:17:36.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2019-08-06T08:36:48.000Z (over 5 years ago)
Last Synced: 2024-06-26T00:37:29.027Z (5 months ago)
Topics: blind-xss, exfiltration, pentesting, security, xss
Language: Go
Size: 236 KB
Stars: 33
Watchers: 3
Forks: 7
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

WebHackersWeapons - gxss - xss`](/categorize/tags/blind-xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)| (Weapons / Tools)

README

        ## Blind XSS as a service

**gxss** is a simple tool which serves a javascript payload and allows to identify blind XSS vulnerabilities. This is similar to [xsshunter](https://github.com/mandatoryprogrammer/xsshunter), but a bit simpler to configure and run. Alerts can be sent via Slack or email. Emails will also have a screenshot of the DOM attached (which is not possible over the Slack webhook API).

![gxss](misc/mail.png)

*Note: The javascript payload was taken (and slightly modified) from [xsshunter](https://github.com/mandatoryprogrammer/xsshunter)*

### Installation

```

go get -u github.com/rverton/gxss

```

### Configuration

Create a file called `.env` or set up your environment to export the following data:

```

PORT=8080

MAIL_SERVER=mail.example.com:25

MAIL_USER=user

MAIL_PASS=pass

[email protected]

[email protected]

SLACK_WEBHOOK=https://hooks.slack.com/XYZ

SERVE_URL=localhost:8080

```

The `SERVE_URL` is the public accessible URL of your server.

You can leave the `MAIL_*` or the `SLACK_WEBHOOK` setting blank if you do not want to use it. Find more about how to setup Slack webhooks [here](https://api.slack.com/incoming-webhooks).

### Usage

```

$ gxss

```

You can now use a payload like the following which will load and execute the javascript payload:

```html

```

gxss can also be used as a request bin. Every request matching `//yourserver.com/k{key}` will be alerted to you. Example:

```html



```

### Alternatives

* [xsshunter](https://github.com/mandatoryprogrammer/xsshunter), python, most features, alerts require Mailgun account and wildcard certificate

* [xless](https://github.com/mazen160/xless), node.js, serverless on [zeit.co](https://zeit.co), alerts over Slack