XSScope: Modern Browser exploitation via XSS

XSScope

Go beyond the alert

XSScope is one of the most advanced GUI Frameworks for XSS Client-side attacks. It can perform different XSS attacks and HTML Injections in real-time.

Features

• Perform XSS botnet attack(s). Every victim who is affected by the XSS payload (in the webserver), will constantly bind the payload and wait for commands from the attacker. A bind payload is one that waits for a connection from its controller.
• HTTP Flood (DDos) via XSS botnets
• Generates a Port Forwarding TCP and a Local PHP Server as well
• Automatic payload generator for Bug Hunting (Blind, Stored, Reflected & DOM XSS)
• Generate Local HTTP Server

Spying Features

• Camera Hijacking
• Get victim’s saved credentials from the vulnerable website
• Gather information about the victim (Browser, version, Operating System, User-Agent, Cookie (if any), Java enabled, Online status, Language used, Cookie enabled)
• Keylogger
• Screenshot victim’s browser
• Get victim’s real-time location
• Execute .NET Shellcode commands
• Force download malicious file

HTML code injection

• Generate Phishing Websites with 2 clicks using pre-generated HTML codes such as:
  • Amazon
  • Google
  • Line
  • LinkedIn
  • Steam
  • Twitch
  • Verizon
  • WiFi (expired session)
• Generate Website Defacion with 2 clicks using an HTML template
• Import HTML file from external file
• Add your own HTML code

Arbitrary Javascript code execution

• Execute Javascript code into the victim’s browser once a shell is opened in your listener

Funny modules:

• Change every link on the website
• Change every image on the website
• Clickjacker (redirect to another URI once user click somewhere on the website)

Install & Use

Copyright (C) 2021 kleiton0x00