github.com/thatsn0tmysite/xsserve

XSServe

XSServe is a shameless copy of heavily inspired by the XSSHunter project (by @IAmMandatory), rewritten in Go.

⚠ Disclaimer

The project is in a SEMI usable state right now, if you want a prime experience I still suggest the use of other tools.

NOTE: only basic authentication is supported for the UI for now.

📷 Mandatory screenshot(s)

🏁 Goals

The initial goal is to allow users to use the same service, but in a self-contained way for lazy penetration testers, like myself.

The final goal is still unclear as the project might evolve as different needs arise.

The basic current features include:

• Blind XSS (screenshot, cookies, DOM)
• Information gathering (browser fingerprinting, local time and date, UA)
• Automatic session hijacking using Selenium (click big blue button, browse as victim!)
• Websockets for live js injections (like BEeF, but simpler)

Planned features:

• Spy mode: see what the user sees, types and points at in real time
• BEeF like plugins and victim browser management
• Report generation
• Cool dashboard to keep track of them pwns
• Payload obfuscation
• Serving of custom js files via API

Possible "maybe" features:

• Auto-submit to bug bounty platform(s)
• Enable multiple users (this might need some major refactoring)
• idk?

🔧 Build

This project requires at least golang >= 1.16, as it makes use of the embed package. To run the project:

go run main.go [options]

To build it:

go build xsserve

👋 Contributing

Currently I'd love some help with:

• UI/UX: in case it wasn't obvious by the look of it, the UI is pretty ugly. I wouldn't mind a skilled UI designer to do a nice looking interface to ease the usage and look... well... good.
• Developers: I am currently working on this project as I learn Go, in the little free time I have, I am by no means a developer so any advice is appreciated, without overly complicating the project.
• Logo: cause every cool project has a logo.
• Getting a life... Anyone?

If you want to get in touch hit me up on twitter or matrix!

✅ TODO

Here is a list of TODO I have handy, there is much more to do:

• Basic functionality
• Replace DB
• Dashboard
• Decent UI
• Logo
• Dynamic blind.js file
• blind.js other fixes / simplify code
• Dynamic hook.js file
• Live browser "spy mode" (currently in the works, might change to webrtc later idk)
• Plugin system for hook.js (capabilityEnum, webcam/mic, live, BitB, keylogger, eventHook)
• Allow custom files served by /c
• Self-signed HTTPS certificate on startup
• Minor mimetype issues
• Better report details page
• Export reports to md file
• Secure code review
• Custom error pages
• Moar payloads
• Docs, docs everywhere!
• Obfuscate payloads if requested
• Integrated GeoIP for nonsense IP localization with minimap :)