XSS-Catcher: blind XSS detection framework
XSS Catcher
A blind XSS detection framework that runs on Flask and VueJS.
XSS Catcher is a simple application that facilitates blind Cross-Site Scripting attacks and attacks that aim to gather data (e.g. cookies, session/local storage, screenshots, etc.).
Features
- Generates simple customizable XSS payloads
- Sends email alerts or webhooks (in Slack format) when a new XSS is caught
- The destination email or webhook can be configured globally and per client
- Separates the gathered data by clients
- Multi-user with administrative and low privilege users
- Stores information about the triggered XSS payloads like User-Agent, source IP address, timestamp, etc.
- Allows capture of cookies, local storage, session storage, and more.
- Acts as a “catch-all” endpoint. Just send your data in the querystring (GET) or body (POST) to your client’s URL and XSS Catcher will catch it!
- Leverages html2canvas and fingerprintjs
- Captures the full DOM so you can easily know where the payload triggered
- Allows you to add custom tags to your XSS to better categorize them.
Install
To clone and run this application, you’ll need Git, Docker, Docker Compose and make. From your command line:
# Clone this repository
$ git clone https://github.com/daxAKAhackerman/XSS-Catcher.git# Go into the repository
$ cd XSS-Catcher# Deploy the application. Also, run this once if you are migrating from v1.0.0
$ make deploy
Update
# Pull the repository
$ git pull# Before running an update, it is recommended to make a copy of your database in case something unexpected happens
$ cp -r /var/lib/docker/volumes/xss-catcher_xss-db/ /var/lib/docker/volumes/xss-catcher_xss-db-bak/# Update the application
$ make update
Start/Stop containers
# Start the containers
$ make start# Stop the containers
$ make stop
Use
- Default credentials to connect to the Web interface are admin:xss
- Default Web port is 8888
Copyright (c) 2020 Samuel De Grace
