XSServe

XSServe is a shameless copy of heavily inspired by the XSSHunter project (by @IAmMandatory), rewritten in Go.

⚠ Disclaimer

The project is in a SEMI usable state right now, if you want a prime experience I still suggest the use of other tools.

NOTE: only basic authentication is supported for the UI for now.

📷 Mandatory screenshot(s)

Mandatory screenshot

Mandatory screenshot 2

🏁 Goals

The initial goal is to allow users to use the same service, but in a self-contained way for lazy penetration testers, like myself.

The final goal is still unclear as the project might evolve as different needs arise.

The basic current features include:

  • Blind XSS (screenshot, cookies, DOM)
  • Information gathering (browser fingerprinting, local time and date, UA)
  • Automatic session hijacking using Selenium (click big blue button, browse as victim!)
  • Websockets for live js injections (like BEeF, but simpler)

Planned features:

  • Spy mode: see what the user sees, types and points at in real time
  • BEeF like plugins and victim browser management
  • Report generation
  • Cool dashboard to keep track of them pwns
  • Payload obfuscation
  • Serving of custom js files via API

Possible “maybe” features:

  • Auto-submit to bug bounty platform(s)
  • Enable multiple users (this might need some major refactoring)
  • idk?

🔧 Build

This project requires at least golang >= 1.16, as it makes use of the embed package. To run the project:

go run main.go [options]

To build it:

go build xsserve

👋 Contributing

Currently I’d love some help with:

  • UI/UX: in case it wasn’t obvious by the look of it, the UI is pretty ugly. I wouldn’t mind a skilled UI designer to do a nice looking interface to ease the usage and look… well… good.
  • Developers: I am currently working on this project as I learn Go, in the little free time I have, I am by no means a developer so any advice is appreciated, without overly complicating the project.
  • Logo: cause every cool project has a logo.
  • Getting a life… Anyone?

If you want to get in touch hit me up on twitter or matrix!

✅ TODO

Here is a list of TODO I have handy, there is much more to do:

  • Basic functionality
  • Replace DB
  • Dashboard
  • Decent UI
  • Logo
  • Dynamic blind.js file
  • blind.js other fixes / simplify code
  • Dynamic hook.js file
  • Live browser “spy mode” (currently in the works, might change to webrtc later idk)
  • Plugin system for hook.js (capabilityEnum, webcam/mic, live, BitB, keylogger, eventHook)
  • Allow custom files served by /c
  • Self-signed HTTPS certificate on startup
  • Minor mimetype issues
  • Better report details page
  • Export reports to md file
  • Secure code review
  • Custom error pages
  • Moar payloads
  • Docs, docs everywhere!
  • Obfuscate payloads if requested
  • Integrated GeoIP for nonsense IP localization with minimap :)