github.com/ssl/ezXSS

ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.

ezXSS is a tool that is designed to help find and exploit cross-site scripting (XSS) vulnerabilities. One of the key features of ezXSS is its ability to identify and exploit blind XSS vulnerabilities, which can be difficult to find using traditional methods.

Once an ezXSS payload is placed, the user must wait until it is triggered, at which point ezXSS will store and alert the user all the information of the vulnerable page. These reports can then be used to further identify and track important data. Payloads can even be updated to make the XSS persistent, allowing to track the infected user over all visited pages and open a reverse proxy.

Features

• Easy to use dashboard with settings, statistics, payloads, view/share/search reports
• Persistent XSS sessions with reverse proxy aslong as the browser is active
• Manage unlimited users with permissions to personal payloads & their reports
• Instant alerts via mail, Telegram, Slack, Discord or custom callback URL
• Custom extra javascript payloads
• Custom payload links to distinguish insert points
• Extract additional paths, automatic (recursive) spider, block, whitelist and more filters
• :new: Extensions that can add or edit ezXSS payload functions (check out ezXSS-extensions)
• Secure your login with Two-factor (2FA)
• The following information can be collected on a vulnerable page:
  • The URL of the page
  • IP Address
  • Any page referer (or share referer)
  • The User-Agent
  • All Non-HTTP-Only Cookies
  • All Locale Storage
  • All Session Storage
  • Full HTML DOM source of the page
  • Page origin
  • Time of execution
  • Payload URL
  • Screenshot of the page
  • Extracted additional defined paths
  • Extracted content of links from (recursive) spider
  • Any extra custom fields (via extensions or custom JS)
• Triggers in all browsers, starting from Chrome 1+, IE 6+, Firefox 1+, Opera 10+, Safari 4+
• much much more, and, its just ez :-)

Required

• Server or shared web hosting with PHP 7.1 or up
• Domain name (consider a short one or check out shortboost)
• SSL Certificate to test on https websites (consider Cloudflare or Let's Encrypt for a free SSL)

Installation

ezXSS is ez to install with Apache, NGINX or Docker

visit the wiki for installation instructions.

Explore ezXSS hassle free

Interested in using ezXSS but don't want to install it yet? Worry not! You can access and start using ezXSS with a free account without the need of a domainname or a webserver. Simply sign up and get started without any installation hassle.

Create account on ezxss.com

Contribute

Maintenance of this project is made possible by all the contributors and sponsors. I've personally worked for over 8 years on this project, taking hundreds of hours from my time. Please kindly consider becoming a sponsor, so I can continue maintaining and improving ezXSS as well as creating and releasing new projects. Current sponsors and (past) sponsors/contributors with a big impact on the project:

    

      

Become a sponsor
or, leave a star!