XSS-Catcher: blind XSS detection framework

by do son · August 3, 2021

XSS Catcher

A blind XSS detection framework that runs on Flask and VueJS.

XSS Catcher is a simple application that facilitates blind Cross-Site Scripting attacks and attacks that aim to gather data (e.g. cookies, session/local storage, screenshots, etc.).

Features

Generates simple customizable XSS payloads
Sends email alerts or webhooks (in Slack format) when a new XSS is caught
The destination email or webhook can be configured globally and per client
Separates the gathered data by clients
Multi-user with administrative and low privilege users
Stores information about the triggered XSS payloads like User-Agent, source IP address, timestamp, etc.
Allows capture of cookies, local storage, session storage, and more.
Acts as a “catch-all” endpoint. Just send your data in the querystring (GET) or body (POST) to your client’s URL and XSS Catcher will catch it!
Leverages html2canvas and fingerprintjs
Captures the full DOM so you can easily know where the payload triggered
Allows you to add custom tags to your XSS to better categorize them.

Install

To clone and run this application, you’ll need Git, Docker, Docker Compose and make. From your command line:

# Clone this repository
$ git clone https://github.com/daxAKAhackerman/XSS-Catcher.git

# Go into the repository
$ cd XSS-Catcher

# Deploy the application. Also, run this once if you are migrating from v1.0.0
$ make deploy

Update

# Pull the repository
$ git pull

# Before running an update, it is recommended to make a copy of your database in case something unexpected happens
$ cp -r /var/lib/docker/volumes/xss-catcher_xss-db/ /var/lib/docker/volumes/xss-catcher_xss-db-bak/

# Update the application
$ make update