XSS Catcher is a simple application that facilitates blind Cross-Site Scripting attacks and attacks that aim to gather data (e.g. cookies, session/local storage, screenshots, etc.).
- Generates simple customizable XSS payloads
- Sends email alerts when a new XSS is caught
- The destination email is configured per client to better fit an environment where different pentesters don’t necessarily work on the same tests
- Separates the gathered data by clients
- Multi-user with administrative and low privilege users
- Stores information about the triggered XSS payloads like User-Agent, source IP address, timestamp, etc.
- Allows capture of cookies, local storage, session storage and any other specified parameters
- Payload can be customized by the users as he pleases. Simply pass your data in the query string or POST body and the application will catch it!
- Leverages html2canvas and fingerprintjs
- Captures the full DOM so you can easily know where the payload triggered
- Granular deletion of captured data
# Clone this repository $ git clone https://github.com/daxAKAhackerman/XSS-Catcher.git # Go into the repository $ cd XSS-Catcher # If it is not already installed, install make $ apt install make # Deploy the application. Also, run this once if you are migrating from v1.0.0 $ make deploy
# Pull the repository $ git pull # Update the application $ make update
# Start the containers $ make start # Stop the containers $ make stop
- Default credentials to connect to the Web interface are admin:xss
- Default Web port is 8888
Database looks empty after migrating from v1.0.0 to v1.1.0 and up
Since v1.1.0 introduced the usage of randomized database passwords, be sure to run
make deploy after pulling the new version. If you don’t, your application will fallback to a local SQLite database, which is empty by default.
I accidentally deleted the
.env file that contained my database password
You can set a new database password by following these steps:
# While XSS Catcher is running, attach to the database container $ docker exec -it xss-catcher_db_1 bash # Log into the PostgreSQL database $ psql -U user xss # Set a new password for the user "user" $ \password user # Exit PostgreSQL and the container $ exit $ exit # Create a new file in the XSS Catcher directory named ".env" with the following content POSTGRES_PASSWORD=YOUR_NEW_PASSWORD POSTGRES_USER=user POSTGRES_DB=xss # Stop the application and start it again $ make stop $ make start
Download XSS Catcher