XSS-Catcher: blind XSS detection framework

XSS Catcher

A blind XSS detection framework that runs on Flask and VueJS.

XSS Catcher is a simple application that facilitates blind Cross-Site Scripting attacks and attacks that aim to gather data (e.g. cookies, session/local storage, screenshots, etc.).

Features

  • Generates simple customizable XSS payloads
  • Sends email alerts or webhooks (in Slack format) when a new XSS is caught
  • The destination email or webhook can be configured globally and per client
  • Separates the gathered data by clients
  • Multi-user with administrative and low privilege users
  • Stores information about the triggered XSS payloads like User-Agent, source IP address, timestamp, etc.
  • Allows capture of cookies, local storage, session storage, and more.
  • Acts as a “catch-all” endpoint. Just send your data in the querystring (GET) or body (POST) to your client’s URL and XSS Catcher will catch it!
  • Leverages html2canvas and fingerprintjs
  • Captures the full DOM so you can easily know where the payload triggered
  • Allows you to add custom tags to your XSS to better categorize them.

Install

To clone and run this application, you’ll need GitDockerDocker Compose and make. From your command line:

# Clone this repository
$ git clone https://github.com/daxAKAhackerman/XSS-Catcher.git

# Go into the repository
$ cd XSS-Catcher

# Deploy the application. Also, run this once if you are migrating from v1.0.0
$ make deploy

Update

# Pull the repository
$ git pull

# Before running an update, it is recommended to make a copy of your database in case something unexpected happens
$ cp -r /var/lib/docker/volumes/xss-catcher_xss-db/ /var/lib/docker/volumes/xss-catcher_xss-db-bak/

# Update the application
$ make update

Start/Stop containers

# Start the containers
$ make start

# Stop the containers
$ make stop

Use

  • Default credentials to connect to the Web interface are admin:xss
  • Default Web port is 8888

Copyright (c) 2020 Samuel De Grace

Source: https://github.com/daxAKAhackerman/


Source: Penetration Testing

Leave a Reply