Skip to content

thatsn0tmysite/xsserve

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

71 Commits
.images
.images
 
 
cmd
cmd
 
 
core
core
 
 
database
database
 
 
server
server
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

XSServe logo

XSServe

XSServe is a shameless copy of heavily inspired by the XSSHunter project (by @IAmMandatory), rewritten in Go.

⚠ Disclaimer

The project is in a SEMI usable state right now, if you want a prime experience I still suggest the use of other tools.

NOTE: only basic authentication is supported for the UI for now.

📷 Mandatory screenshot(s)

Mandatory screenshot

Mandatory screenshot 2

🏁 Goals

The initial goal is to allow users to use the same service, but in a self-contained way for lazy penetration testers, like myself.

The final goal is still unclear as the project might evolve as different needs arise.

The basic current features include:

  • Blind XSS (screenshot, cookies, DOM)
  • Information gathering (browser fingerprinting, local time and date, UA)
  • Automatic session hijacking using Selenium (click big blue button, browse as victim!)
  • Websockets for live js injections (like BEeF, but simpler)

Planned features:

  • Spy mode: see what the user sees, types and points at in real time
  • BEeF like plugins and victim browser management
  • Report generation
  • Cool dashboard to keep track of them pwns
  • Payload obfuscation
  • Serving of custom js files via API

Possible "maybe" features:

  • Auto-submit to bug bounty platform(s)
  • Enable multiple users (this might need some major refactoring)
  • idk?

🔧 Build

This project requires at least golang >= 1.16, as it makes use of the embed package. To run the project:

go run main.go [options]

To build it:

go build xsserve

👋 Contributing

Currently I'd love some help with:

  • UI/UX: in case it wasn't obvious by the look of it, the UI is pretty ugly. I wouldn't mind a skilled UI designer to do a nice looking interface to ease the usage and look... well... good.
  • Developers: I am currently working on this project as I learn Go, in the little free time I have, I am by no means a developer so any advice is appreciated, without overly complicating the project.
  • Logo: cause every cool project has a logo.
  • Getting a life... Anyone?

If you want to get in touch hit me up on twitter or matrix!

✅ TODO

Here is a list of TODO I have handy, there is much more to do:

  • Basic functionality
  • Replace DB
  • Dashboard
  • Decent UI
  • Logo
  • Dynamic blind.js file
  • blind.js other fixes / simplify code
  • Dynamic hook.js file
  • Live browser "spy mode" (currently in the works, might change to webrtc later idk)
  • Plugin system for hook.js (capabilityEnum, webcam/mic, live, BitB, keylogger, eventHook)
  • Allow custom files served by /c
  • Self-signed HTTPS certificate on startup
  • Minor mimetype issues
  • Better report details page
  • Export reports to md file
  • Secure code review
  • Custom error pages
  • Moar payloads
  • Docs, docs everywhere!
  • Obfuscate payloads if requested
  • Integrated GeoIP for nonsense IP localization with minimap :)

About

A shameless copy of XSSHunter, written in Go

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages