XSS-Catcher: blind XSS detection framework
XSS Catcher is a simple application that facilitates blind Cross-Site Scripting attacks and attacks that aim to gather data (e.g. cookies, session/local storage, screenshots, etc.).
- Generates simple customizable XSS payloads
- Sends email alerts or webhooks (in Slack format) when a new XSS is caught
- The destination email or webhook can be configured globally and per client
- Separates the gathered data by clients
- Multi-user with administrative and low privilege users
- Stores information about the triggered XSS payloads like User-Agent, source IP address, timestamp, etc.
- Allows capture of cookies, local storage, session storage, and more.
- Acts as a “catch-all” endpoint. Just send your data in the querystring (GET) or body (POST) to your client’s URL and XSS Catcher will catch it!
- Leverages html2canvas and fingerprintjs
- Captures the full DOM so you can easily know where the payload triggered
- Allows you to add custom tags to your XSS to better categorize them.
# Clone this repository
$ git clone https://github.com/daxAKAhackerman/XSS-Catcher.git
# Go into the repository
$ cd XSS-Catcher
# Deploy the application. Also, run this once if you are migrating from v1.0.0
$ make deploy
# Pull the repository
$ git pull
# Before running an update, it is recommended to make a copy of your database in case something unexpected happens
$ cp -r /var/lib/docker/volumes/xss-catcher_xss-db/ /var/lib/docker/volumes/xss-catcher_xss-db-bak/
# Update the application
$ make update
# Start the containers
$ make start
# Stop the containers
$ make stop
- Default credentials to connect to the Web interface are admin:xss
- Default Web port is 8888
Copyright (c) 2020 Samuel De Grace