ezXSS is an easy way for penetration testers and bug
bounty hunters to test (blind) Cross Site Scripting.
- Easy to use dashboard with settings, statistics, payloads, view/share/search reports
- Unlimited users with permissions to personal payloads & their reports
- Instant alerts via mail, Telegram, Slack, Discord or custom callback URL
- Custom javascript payloads
- Custom payload links to distinguish insert points
- Extract additional pages, block, whitelist and other filters
- Secure your login with Two-factor (2FA)
- The following information can be collected on a vulnerable page:
- The URL of the page
- IP Address
- Any page referer (or share referer)
- The User-Agent
- All Non-HTTP-Only Cookies
- All Locale Storage
- All Session Storage
- Full HTML DOM source of the page
- Page origin
- Time of execution
- Payload URL
- Screenshot of the page
- Extract additional defined pages
- much much more, and, its just ez :-)
- Server or hosting with PHP 7.1 or up
- Domain name (consider a short one)
- SSL Certificate to test on https websites (consider Cloudflare or Let's Encrypt for a free SSL)
ezXSS is ez to install with Apache, NGINX or Docker
visit the wiki for installation instructions.
For a demo visit demo.ezxss.com/manage with password demo1234. Please note that some features might be disabled in the demo version.
No more need of having to install the tool on a server, as now users can register for an account on ez.pe, and start using the tool for free.