-
-
Notifications
You must be signed in to change notification settings - Fork 340
How to: use ezXSS
ezXSS is a tool that is designed to help users find and exploit cross-site scripting (XSS) vulnerabilities, including blind XSS. One of the key features of ezXSS is its ability to identify and exploit blind XSS vulnerabilities, which can be difficult to find using traditional methods.
One of the ways ezXSS can be used to find blind XSS is by adding a payload, found in the payloads tab, to any website. Once the payload is added, the user can wait until it is triggered, at which point ezXSS will alert the user with a full page report. This report includes information such as the payload that was used, the URL where the payload was triggered, and any other relevant data.
This feature makes it a powerful tool for identifying and exploiting blind XSS vulnerabilities, as it allows users to easily test a large number of websites and payloads without the need for manual testing. Additionally, ezXSS offers a feature for on-demand payloads, which are triggered once, and a feature for persistent payloads, which are triggered and can remain persistent as a man-in-the-middle in the browser aslong as the browser is open.
It is important to note that performing XSS attacks without permission is illegal. The tool is provided for educational and testing purposes only.
Your personal dashboard contains statistics on your personal payload reports. Use it to track the progress of your reports and stay informed on your payloads.
On this dashboard, only statistics of the payloads you hold in your account are counted. Payloads can be added to your account by admins via the Users page
Here, you can make changes to your account settings, such as updating your password and managing alerts. Some of the things you can do here include changing your password, enabling or disabling 2FA, and logging out of your account.
Additionally, you can adjust your alert settings to receive notifications via email, Telegram, Slack, or Discord when a payload you own is triggered. Please note that only alert types that have been activated by an administrator can be used. Additionally, if you are an administrator or using a single-user ezXSS installation, you may find it more convenient to set your alert settings in the "Admin -> Settings" page, where you will be alerted for any payload.
The payloads page allows you to customize your payload settings, such as extracting additional pages and managing white/blacklisted domains. Use it to edit the information that your payloads collect. The select box at the top of the page enables you to switch between all of your different payloads.
On this page you can also enable persistent mode for a specific payload. When it is enabled by the admin in the settings page, enabling this makes it a persistent payload type.
Administrators can assign additional payloads to you in the "Admin -> Users" page. You can also find different ways to inject your payloads into websites, change what information to collect, and add custom javascript that runs every time your payload is loaded. Additionally, you can extract additional pages by adding their URLs and block or whitelist certain domains to control which alerts you receive.
The admin dashboard contains various statistics and tools to help you manage and monitor the ezXSS platform.
This dashboard contain statistics of all reports within ezXSS.
The admin settings page allows you to customize and configure various features of the ezXSS platform. On the global payload settings, you can specify what types of data users are allowed to collect on their payloads and add custom javascript to be included in all payloads. Here you can also enable logging on the ezXSS platform.
In the global alert settings, you can set up notifications to be sent to your email, Telegram, Slack, or Discord account when any payload is triggered. If you only want to be alerted for your own payloads, you should change these settings in your account settings page. You can also manage which alert options are enabled and available to be used on the platform.
At the callback alert settings, you can add a link that will be called when a payload is triggered. The report data will be sent to this link in JSON format.
Finally, the kill switch allows you to shut down the entire ezXSS platform. Any page requested from the web server will return a 404 error. To reactivate the platform, you can add "/?pass=<the password you've set up>" to any link and it will return to normal.
The users page lets you create and edit user accounts within ezXSS. Use it to manage user permissions and payloads.
Add or edit user data. Within the edit panel you can also add payloads which the user is allowed to use and view.
When enabled, the log data page allows to view all the saved logs data, including descriptions, user information, and IP addresses associated with each activity.
The reports page allows you to view, search, share, and delete all of your payload's reports. Use it to track important data and to share reports with your stakeholders.
You can also filter on specific payloads you hold using the dropdown on the top of the page.
This does not hold archived reports.
The reports page allows you to view, search, share, and delete all of your payload's reports. Use it to track important data and to share reports with your stakeholders.
You can also filter on specific payloads you hold using the dropdown on the top of the page.
This only holds archived reports.
The sessions page allows you to view, search and delete all of your payload's persistent sessions. Use it to track online and offline sessions. Select multiple sessions to execute javascript on multiple targets.
The session page allows you to manage, proxy, and delete your session. Also holds all the information like URL, cookies, HTML DOM and more. From here, it is also possible to view all requests made by a session