lewisardern / bxss Goto Github PK
View Code? Open in Web Editor NEWbXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
License: MIT License
bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
License: MIT License
hello
i think you also need to add "Telegram bot" .
thanks!
Payload Generation needs to have a few upgrades:
Hello, recently I was testing a few apps with your utility and came across the fact that default body-parser limit (https://github.com/expressjs/body-parser#limit) is too small for handling some requests, especially while dealing with single-page applications.
I suggest adding body-parser's limit option to config.
Deprecation warning: value provided is not in a recognized RFC2822 or ISO format. moment construction falls back to js D
ate(), which is not reliable across all browsers and versions. Non RFC2822/ISO date formats are discouraged and will be
removed in an upcoming major release. Please refer to http://momentjs.com/guides/#/warnings/js-date/ for more info.
Current template structure sucks, needs a re-write.
A few things that need to be achieved in markdown.js
html
is not a real thing in Slack, so we have Hi,
I tried to connect notification through slack, but I've been getting this error:
Error: missing_scope
at exec (/home/ubuntu/bXSS/node_modules/slack/src/_exec.js:11:15)
at Object._execWithToken (/home/ubuntu/bXSS/node_modules/slack/src/_factory.js:31:16)
at Object.exports.send (/home/ubuntu/bXSS/server/utilities/services/slack.js:14:16)
at reporters.forEach.svc (/home/ubuntu/bXSS/server/controllers/xss.js:21:32)
at Array.forEach (<anonymous>)
at reportToUtilities (/home/ubuntu/bXSS/server/controllers/xss.js:21:13)
at exports.capture (/home/ubuntu/bXSS/server/controllers/xss.js:56:3)
at Layer.handle [as handle_request] (/home/ubuntu/bXSS/node_modules/express/lib/router/layer.js:95:5)
at next (/home/ubuntu/bXSS/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/ubuntu/bXSS/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/home/ubuntu/bXSS/node_modules/express/lib/router/layer.js:95:5)
at /home/ubuntu/bXSS/node_modules/express/lib/router/index.js:281:22
at Function.process_params (/home/ubuntu/bXSS/node_modules/express/lib/router/index.js:335:12)
at next (/home/ubuntu/bXSS/node_modules/express/lib/router/index.js:275:10)
at urlencodedParser (/home/ubuntu/bXSS/node_modules/body-parser/lib/types/urlencoded.js:91:7)
at Layer.handle [as handle_request] (/home/ubuntu/bXSS/node_modules/express/lib/router/layer.js:95:5)
All required is the Slack Bot API + #channel
in the config file ?
Cherrs
I am a bit unsure if my config is correct.
When I start bXSS I get: bXSS listening on port undefined
config.github = {};
if I don't want to use it?config.url = process.env.url || 'mydoamin.com';
to config.url = 'mydoamin.com';
?config.letsEncrypt.publicKey = '/etc/letsencrypt/live/mydoamin.com/fullchain.pem';
The current project is in a good state, but for future usage and extending further I think the best will be to re-write the project in TypeScript, this will reduce errors overall.
The app should leverage nodemailers other functionalities and make it be possible to use tokens rather than just gmail credentials, along with own email set-ups.
followed provided instruction; however on running "node app.js" I am getting the error in the title. Tested on node version 13.8.0 and Ubuntu 18.04.4 LTS
Currently its just console log, if this was to be effectively used by a blue team, need to configure something such as winston.
Other tools such as xsshunter offer html2canvas, there was recently a reference to it again via https://research.digitalinterruption.com/2018/12/18/a-deeper-look-into-xss-payloads/ which I think can be easily implemented into bXSS.
Iv'e been having a few thoughts on where this would like to move forward with additional services.
Github is where developers live, and for example if a new project is being built, and its connecting with other services -- a good idea would be to, if bXSS is used for a certain git project, when XSS is identified, automatically report it as an issue in the project it was spun up for.
Suggesting we probably use https://github.com/pksunkara/octonode which has an easy function to embed: repo.create_issue({title: ''}, callback);
Hey
I would like to add Discord support, so I am checking if you're open to the idea!
I would add a dependency on discord.js, and few relevant configuration options.
Thoughts?
Need a way to capture what payload fired on the client, this can probably be done by just giving the element created a class name, with an identifier for the generated payload e.g...
var _ document.createElement('script');
x.className="1"
Then when processing on the server utilize the class name to determine what payload was fired and include that in reporting..
I wrote this over a few evenings, and it looks like it's possibly being used, so I need to write unit tests with ava https://github.com/avajs/ava.
First of all, thanks for such project. Very handy to the community.
I think it would be a good idea to implement slack hook notifications as well. Would it be something you had in mind or something too hard to implement ?
Cheers
Need to improve reports to services, not everyone will use email. so..
Use markdown in reports to Slack and Webex Teams
Provide more information in Discord
Unable login, facing this issue.
MongooseError: Operation users.findOne()
buffering timed out after 10000ms
at Timeout. (/app/node_modules/mongoose/lib/drivers/node-mongodb-native/collection.js:175:23)
at listOnTimeout (node:internal/timers:559:17)
at processTimers (node:internal/timers:502:7)
Hello @LewisArdern ,
config.js
const config = {};
//config.twilio = {};
config.gmail = {};
config.slack = {};
config.letsEncrypt = {};
config.port = process.env.PORT || 3030;
config.url = process.env.url || 'mydomain.me';
// used to split the results (dont remove)
config.boundary = process.env.boundary || '#!!!!#';
// Set to false by default (would recommend reverse proxy instead)
config.letsEncrypt.TLS = true;
config.letsEncrypt.publicKey = process.env.publicKey || '/etc/letsencrypt/live/mydomain.me/fullchain.pem';
config.letsEncrypt.privateKey = process.env.privateKey || '/etc/letsencrypt/live/mydomain.me/privkey.pem';
config.letsEncrypt.ca = '/etc/letsencrypt/live/mydomain.me/chain.pem';
// Remove if you dont' want Twilio
//config.twilio.accountSid = process.env.accountSid || '';
//config.twilio.authToken = process.env.authToken || '';
//config.twilio.to = process.env.twilioTo || ['']; // add additonal numbers with comma seperation e.g '+447000000', ''
//config.twilio.from = process.env.twilioFrom || '';
// Remove if you dont want Slack
config.slack.token = process.env.token || 'xoxp-xxxxx-xxxx-xxxxx-xxxxxxxxxx';
config.slack.channel = process.env.slackChannel || 'general';
// Remove if you dont want Gmail
config.gmail.user = process.env.gmailUser || '[email protected]';
config.gmail.pass = process.env.gmailPass || 'xxxx';
config.gmail.to = process.env.gmailTo || ['[email protected]']; // add additonal emails with comma seperation '', ''
config.gmail.from = process.env.gmailFrom || '[email protected]';
module.exports = config;
http://mydomain.me:3030
but over https://
returns connections refused
.Thanks ~
This will allow people to quickly pull your Docker image from the store to pull, spin up and run bXSS.
The application should be able to email more than one person if its being used by internal teams, or bug hunters who work in groups.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.