Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rverton/gxss
Blind XSS service alerting over slack or email
https://github.com/rverton/gxss
blind-xss exfiltration pentesting security xss
Last synced: 26 days ago
JSON representation
Blind XSS service alerting over slack or email
- Host: GitHub
- URL: https://github.com/rverton/gxss
- Owner: rverton
- License: mit
- Created: 2019-08-02T10:17:36.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2019-08-06T08:36:48.000Z (over 5 years ago)
- Last Synced: 2024-08-03T14:06:34.649Z (4 months ago)
- Topics: blind-xss, exfiltration, pentesting, security, xss
- Language: Go
- Size: 236 KB
- Stars: 32
- Watchers: 3
- Forks: 7
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- WebHackersWeapons - gxss - xss`](/categorize/tags/blind-xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)| (Weapons / Tools)
README
## Blind XSS as a service
**gxss** is a simple tool which serves a javascript payload and allows to identify blind XSS vulnerabilities. This is similar to [xsshunter](https://github.com/mandatoryprogrammer/xsshunter), but a bit simpler to configure and run. Alerts can be sent via Slack or email. Emails will also have a screenshot of the DOM attached (which is not possible over the Slack webhook API).
![gxss](misc/mail.png)
*Note: The javascript payload was taken (and slightly modified) from [xsshunter](https://github.com/mandatoryprogrammer/xsshunter)*
### Installation
```
go get -u github.com/rverton/gxss
```### Configuration
Create a file called `.env` or set up your environment to export the following data:
```
PORT=8080
MAIL_SERVER=mail.example.com:25
MAIL_USER=user
MAIL_PASS=pass
[email protected]
[email protected]
SLACK_WEBHOOK=https://hooks.slack.com/XYZ
SERVE_URL=localhost:8080
```The `SERVE_URL` is the public accessible URL of your server.
You can leave the `MAIL_*` or the `SLACK_WEBHOOK` setting blank if you do not want to use it. Find more about how to setup Slack webhooks [here](https://api.slack.com/incoming-webhooks).
### Usage
```
$ gxss
```You can now use a payload like the following which will load and execute the javascript payload:
```html
```
gxss can also be used as a request bin. Every request matching `//yourserver.com/k{key}` will be alerted to you. Example:
```html
```### Alternatives
* [xsshunter](https://github.com/mandatoryprogrammer/xsshunter), python, most features, alerts require Mailgun account and wildcard certificate
* [xless](https://github.com/mazen160/xless), node.js, serverless on [zeit.co](https://zeit.co), alerts over Slack