Skip to content
/ XSS-Catcher Public
forked from daxAKAhackerman/XSS-Catcher

Find blind XSS but why not gather data while you're at it.

0 stars 26 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

digitalarche/XSS-Catcher

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

134 Commits

client

client

 
 

design

design

 
 

pictures

pictures

 
 

server

server

 
 

.gitattributes

.gitattributes

 
 

Dockerfile.backend

Dockerfile.backend

 
 

Dockerfile.frontend

Dockerfile.frontend

 
 

README.md

README.md

 
 

docker-compose.test.yml

docker-compose.test.yml

 
 

docker-compose.yml

docker-compose.yml

 
 

vhost.conf

vhost.conf

 
 

Repository files navigation


XSS-Catcher
XSS-Catcher

A blind XSS detection framework that runs on Flask and VueJS.

XSS Catcher is a simple application that facilitates blind Cross-Site Scripting attacks and attacks that aim to gather data (e.g. cookies, session/local storage, screenshots, etc.).

FeaturesInstallationUpdatingFirst loginDemoTroubleshootingCredits

screenshot

Features

  • Generates simple customizable XSS payloads
  • Sends email alerts when a new XSS is caught
  • The destination email is configured per client to better fit an environment where different pentesters don't necessarily work on the same tests
  • Separates the gathered data by clients
  • Multi-user with administrative and low privilege users
  • Stores information about the triggered XSS payloads like User-Agent, source IP address, timestamp, etc.
  • Allows capture of cookies, local storage, session storage and any other specified parameters
  • Payload can be customized by the users as he pleases. Simply pass your data in the query string or POST body and the application will catch it!
  • Leverages html2canvas and fingerprintjs2
  • Captures the full DOM so you can easily know where the payload triggered
  • Granular deletion of captured data
  • Uses db initialisation scripts with Flask-Migrate, so using an alternative database only requires minor modifications of the docker-compose.yml file

Installation

To clone and run this application, you'll need Git, Docker and Docker Compose. From your command line:

# Clone this repository
$ git clone https://github.com/daxAKAhackerman/XSS-Catcher.git

# Go into the repository
$ cd XSS-Catcher

# Start the containers
$ docker-compose up -d

Update

# Pull the repository
$ git pull

# Build the new version of the containers
$ docker-compose build

# Start the containers
$ docker-compose up -d

First login

  • Default credentials to connect to the Web interface are admin:xss
  • Default Web port is 8888

Demo

screenshot

Troubleshooting

JavaScript mixed content error

In order to avoid JavaScript mixed content errors when the XSS payload is triggered, it is highly recommended to put XSS Catcher behind a reverse proxy providing valid TLS certificates.

Credits

Disclaimer

Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. We assume no liability and are not responsible for any misuse or damage caused by this tool.

You may also like...

GitHub @daxAKAhackerman

About

Find blind XSS but why not gather data while you're at it.

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 46.7%
  • HTML 38.4%
  • Vue 6.9%
  • Python 6.0%
  • CSS 1.5%
  • Shell 0.5%