XSScope: Modern Browser exploitation via XSS

by do son ·

XSScope

Go beyond the alert

XSScope is one of the most advanced GUI Frameworks for XSS Client-side attacks. It can perform different XSS attacks and HTML Injections in real-time.

Features

  • Perform XSS botnet attack(s). Every victim who is affected by the XSS payload (in the webserver), will constantly bind the payload and wait for commands from the attacker. A bind payload is one that waits for a connection from its controller.
  • HTTP Flood (DDos) via XSS botnets
  • Generates a Port Forwarding TCP and a Local PHP Server as well
  • Automatic payload generator for Bug Hunting (Blind, Stored, Reflected & DOM XSS)
  • Generate Local HTTP Server

Spying Features

  • Camera Hijacking
  • Get victim’s saved credentials from the vulnerable website
  • Gather information about the victim (Browser, version, Operating System, User-Agent, Cookie (if any), Java enabled, Online status, Language used, Cookie enabled)
  • Keylogger
  • Screenshot victim’s browser
  • Get victim’s real-time location
  • Execute .NET Shellcode commands
  • Force download malicious file

HTML code injection

  • Generate Phishing Websites with 2 clicks using pre-generated HTML codes such as:
    • Amazon
    • Google
    • Line
    • LinkedIn
    • Steam
    • Twitch
    • Verizon
    • WiFi (expired session)
  • Generate Website Defacion with 2 clicks using an HTML template
  • Import HTML file from external file
  • Add your own HTML code

Arbitrary Javascript code execution

  • Execute Javascript code into the victim’s browser once a shell is opened in your listener

Funny modules:

  • Change every link on the website
  • Change every image on the website
  • Clickjacker (redirect to another URI once user click somewhere on the website)

Install & Use

Copyright (C) 2021 kleiton0x00

Tags: XSSXSScope