-
-
Notifications
You must be signed in to change notification settings - Fork 332
Setting definitions
If cookies, full DOM, origin, referer, uri, user agent and IP are already known in the database either;
- Both save report and send alert
- Only save report
- Only send alert
- Don't save report or send alert
When enabled, all actions done by users such as editing settings or payloads will be logged and stored to be viewed on the Logs page. Also some certain errors will be logged, which as errors in writing screenshots to the server.
When screenshots are enabled, you can either store it on the server or in the database. Storing on the server takes less space, but needs the correct permissions to write to the img folder.
Certain columns such as the DOM, screenshot, local and session storage can be hundreds of MBs on big sites. When these sites trigger the payload many times, the database can be overloaded with gigabytes of data. You can choose to store this data as plaintext, or compress and encode it, which can reduce up to 80% of data.
A list of blocked domains. If a callback fires of this domain it will not be saved or alerted. Seperate domains by a comma.
Only save and alert a report if the domain is in the whitelist. All others are dropped. Seperate domains by a comma.
The length of the DOM (source code) within an alert. An alert might be unreadable or blocked by your email client if the DOM is too long. Recommended size is 500. Put this on 0 to get full DOM. (This setting can now only be changed in the database, default is 500)
The email the report alert is send to
If you want to receive alerts in Telegram, u can setup your own bot. Send a /newbot
message to @botfather on Telegram. Supply a name and username and u will receive a token.
The ID of the chat where the bot needs to send the alerts. You can easily obtain this by sending a message to your own created bot on Telegram and then click on get Chat ID
within ezXSS.
You can supply a custom callback URL to alert. The whole report will be posted as an JSON string.
A webhook URL of either Discord or Slack can be added to receive alerts.
Add custom javascript next to ezXSS which will run once the payload is triggered.
These settings are for the database connection ezXSS will make. When using Docker, only password needs to be changed to a random value. If not, fill in all information as needed.
dbHost="ezxssdb" # On same-server, this is mostly localhost/127.0.0.1
dbUser=ezxss # The database username
dbPassword=changeme # The database password
dbName=database # The database name
dbPort=3306 # If not changed, port is 3306
App settings of ezXSS
debug=false # Setting this to true will display PHP errors on the pages. Do not enable this unless you are debugging something
httpmode=false # Setting this to true will allow ezXSS to work without SSL. Only do this when you do not have a certificate installed (yet)
signupEnabled=false # Defines whenever sign up is enabled, do not enable this unless you are serving a public ezXSS installation - this allows anyone to register!
These settings are only if you are using ezXSS with Docker
dockerHttpPort=80 # The HTTP port
dockerHttpsPort=443 # The HTTPS port
useMailAlerts=true # When true, msmtprc will be installed on the image
autoInstallCertificate=true # When true, ezXSS will try to automatically install a certificate using certbot
domain=example.ezxss.com # The domain used to install a certificate for, only used if autoInstallCertificate=true
These settings are only for ezProxy, when using persistent sessions with reverse proxy
prHost=0.0.0.0 # The host where ezProxy will listen to, 0.0.0.0 means all
prWebPort=30055 # The websocket port where persistent session users will connect to
prProxyPort=13000 # The proxy port where you connect to to reverse proxy a session
prCertFile=/home/ezxss/domains/example.com/ssl.cert # The cert file of the domain the persistent session user is connected to
prKeyFile=/home/ezxss/domains/example.com/ssl.key # The key file of the domain the persistent session user is connected to
prUseLogin=false # Defines if the reverse proxy can only be connected to with a login
prUser=ezxss # The login username if prUseLogin=true
prPassword=ezxss # The login password if prUseLogin=true