This simple Flask server app is meant to back cross-site scripting (XSS) proof-of-concept examples. Its main function is providing facilities for capturing and logging data from various events. It also contains some crude example scripts for actually submitting data to the server.
Note Future development, if any, will be done in the https://github.com/mgillam/csik repo.
Although this project does not contain any exploit code, we would like to remind you to always be certain you have explicit, written permission before testing an application.
Pull requests are welcome, however maintaining this project is not a priority for the original author. YMMV
Currently TLS isn't used in any sort of built-in form. A stop-gap measure is to run it behind a reverse proxy e.g. nginx
Python 3.x - this version was developed on 3.6.
- Clone the repo and
cdinto the directory. - Run
pip install -r requirements python csik.py
/hellotest path to verify all is good/idreturn an ID that can be used to uniquely tag subsequent traffic/xsocket.io data exfiltration endpoint/s/alias for the scripts subdirectory. Files retrieved from here are processed with a simple replacement of $$HOST$$ with the host header of the request./<anything else>XHR/fetch data exfiltration endpoint, where the path becomes the name for the log file.
- csik.py - the app logic
- /scripts - a place to get payloads from
- /logs - a place where the data gets logged to