/ezXSS

ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.

Primary LanguagePHPMIT LicenseMIT


ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.

Features

  • Easy to use dashboard with statistics, payloads, view/share/search reports
  • Payload generator
  • Instant alerts via mail, Telegram or custom callback URL
  • Custom javascript payloads
  • Custom payload links to distinguish insert points
  • Block, whitelist and other filters
  • Share reports with a direct link, via email or with other ezXSS users
  • Secure your login with Two-factor (2FA)
  • The following information can be collected on a vulnerable page:
    • The URL of the page
    • IP Address
    • Any page referer (or share referer)
    • The User-Agent
    • All Non-HTTP-Only Cookies
    • All Locale Storage
    • All Session Storage
    • Full HTML DOM source of the page
    • Page origin
    • Time of execution
    • Payload URL
    • Screenshot of the page
    • Extract additional defined pages
  • its just ez :-)

Required

  • Server or hosting with PHP 7.1 or up
  • Domain name (consider a short one)
  • SSL Certificate if you want to test on https websites (consider Cloudflare or Let's Encrypt for a free SSL)

Installation

ezXSS is ez to install with Apache, NGINX or Docker

visit the wiki for installation instructions.

Live demo

For a demo visit demo.ezxss.com/manage with password demo1234. Please note that some features might be disabled in the demo version.