toxssin is an open source penetration testing tool that automates the process of exploiting Cross-Site Scripting (XSS) vulnerabilities. It consists of an https server that acts as an interpreter for the traffic generated by the malicious JavaScript payload that feeds this program (toxin.js). The creator of the program is the Greek programmer Panagiotis Chartas
This project started (and still is) an effort to explore the depth of exploitation that can introduce an XSS vulnerability using vanilla JavaScript.
Provided Cross-site Scripting ή XSS refers to a security vulnerability that allows a malicious user to inject JavaScript code into a web page. In turn, this code will be executed in the browser of the user who will attempt to visit the specific website. Attackers can exploit a cross-site scripting vulnerability to bypass access controls such as the Same-Origin Policy.
The impact of these attacks varies from small changes that potentially affect a user's experience, to far-reaching damage, depending on the sensitivity of the data handled by the vulnerable. website, but also efforts to mitigate the negative consequences.
Specifications
By default, toxssin's JavaScript is automatically passed to all data and a web page's information, abusing the XMLHttpRequest object to intercept data:
- cookies,
- key strokes,
- paste events,
- input change events,
- file selections,
- form submissions,
- server responses,
- table data,
Some important features of toxssin:
- It tries to create XSS persistence while the user is browsing the site, intercepting the http requests and responses and rebuilding the document, when in fact the location of the document never changes,
- Supports session management (you can use it to exploit multiple targets simultaneously, e.g. by running a series of XSS-based phishing attacks or by exploiting some stored XSS);
- Supports implementation custom JS scripts in sessions (once a browser is connected, you can run custom JS scripts in it),
- Automatically records every session.
Installation and use
git clone https://github.com/t3l3machus/toxssin
cd ./toxssin
pip3 install -r requirements.txt
To run toxssin.py, you need to download the ssl and private key files.
It is achieved with the following command:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
It is recommended to run toxssin with a trusted certificate. You are then able to run the program by running the toxssin server as follows:
# python3 toxssin.py -u https://your.domain.com -c /your/certificate.pem -k /your/privkey.pem
You will find more details here.
XSS exploitation difficulties
There are 4 major obstacles when it comes to Cross-Site Scripting attacks:
- το σφάλμα "Mixed Content", το οποίο μπορεί να επιλυθεί εξυπηρετώντας το JavaScript payload μέσω https.
- το σφάλμα "NET::ERR_CERT_AUTHORITY_INVALID", το οποίο υποδεικνύει ότι το πιστοποιητικό του διακομιστή δεν είναι αξιόπιστο / έχει λήξει και μπορεί να παρακαμφθεί με τη χρήση πιστοποιητικού που έχει εκδοθεί από αξιόπιστη πηγή.
- Cross-origin resource sharing (CORS), handled appropriately by the toxssin server.
- The epiheader Content-Security-Policy with script-src set to domain-specific only, will prevent scripts with cross-domain src from loading. Toxssin relies on the eval() function to deliver the payload, so if the site has a CSP and unsafe-eval source is not specified in script-src, the attack will likely fail.
Video guide
Application snapshots
You can download the program from here