toxssin: POST-XSS exploitation tool
By default, toxssin intercepts:
- cookies (if HttpOnly is not present),
- paste events,
- input change events,
- file selections,
- form submissions,
- server responses,
- table data (static as well as updates),
Most importantly, toxssin:
- attempts to maintain XSS persistence while the user browses the website by intercepting http requests & responses and re-writing the document,
- supports session management, meaning that, you can use it to exploit reflected as well as stored XSS,
- supports custom JS script execution against sessions,
- automatically logs every session.
XSS Exploitation Obstacles
In my experience, there are 4 major obstacles when it comes to Cross-Site Scripting attacks attempting to include external JS scripts:
- the “NET::ERR_CERT_AUTHORITY_INVALID” error, which indicates that the server’s certificate is untrusted/expired and can be bypassed by using a certificate issued by a trusted Authority.
- Cross-origin resource sharing (CORS), which is handled appropriately by the toxssin server.
- Content-Security-Policy header with the script-src set to a specific domain(s) only will block scripts with cross-domain src from loading. Toxssin relies on the eval() function to deliver its poison, so, if the website has a CSP and the unsafe-eval source expression is not specified in the script-src directive, the attack will most likely fail (I’m working on a second poison delivery method to work around this).
Copyright (c) 2022 Panagiotis Chartas