ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
Some features ezXSS has
- Easy to use dashboard with statics, payloads, view/share/search reports and more
- Payload generator
- Instant email alert on payload
- Custom javascript payload
- Custom payload links to distinguish insert points
- Enable/Disable screenshots
- Prevent double payloads from saving or alerting
- Block domains
- Share reports with a direct link or with other ezXSS users
- Easily manage and view (multiple) reports
- Secure your login with extra protection (2FA)
- Killswitch
- The following information is collected on a vulnerable page:
- The URL of the page
- IP Address
- Any page referer (or share referer)
- The User-Agent
- All Non-HTTP-Only Cookies
- All Locale Storage
- All Session Storage
- Full HTML DOM source of the page
- Page origin
- Time of execution
- Screenshot of the page
- its just ez :-)
- A host with PHP 7.1 or up
- A domain name (consider a short one)
- An SSL if you want to test on https websites (consider Cloudflare or Let's Encrypt for a free SSL)
ezXSS is ez to install
- Clone the repository and put the files in the document root
- Rename config.ini.example to config.ini
- Create an empty database and provide your database information in config.ini
- Visit /manage/install in your browser and setup a password and email
- Done! That was ez right?
Make sure you have Apache with headers, rewrite and curl modules enabled (with a2enmod, apt-get curl+php-curl) and that .htaccess file is correctly uploaded and allowed in vhost config (AllowOverride All).
For a demo visit demo.ezxss.com/manage with password demo1234. Please note that some features might be disabled in the demo version.
