Coder Social home page Coder Social logo

gmh5225 / xsshunter Goto Github PK

View Code? Open in Web Editor NEW

This project forked from rs-loves-bugs/xsshunter

0.0 1.0 0.0 4.3 MB

License: MIT License

Shell 0.02% JavaScript 23.93% Python 0.08% CSS 16.06% Makefile 0.01% HTML 2.05% Vue 15.36% Dockerfile 0.08% SCSS 42.42%

xsshunter's Introduction

A working and easy to install fork of XSSHunter

Fork features

It works and it's simple to setup: the current as of March 1, 2023 XSSHunter repository is not in a deploy-able state. This fork fixes that.

Single user support and multi user support: you can setup XSSHunter in either single user mode with only your account or in multi user mode using either the env file or with Google OAuth(allowing only the Gmail accounts you want to login). Compared, the original XSSHunter version only allows Google OAuth login and does not restrict the Gmail accounts allowed(all Gmail accounts can create an user and login).

Full Trufflehog support: Detect secrets on the page your payload fired. The original version implemented simple regex checks for AWS, GCP and Slack keys. This fork supports all the current ~750 detectors from Trufflehog.

No blurred screenshots

Local Storage: Read all data stored in Local Storage for the page the payload fired on

Slack, Discord, Telegram and custom notifications: this fork will send notifications to Slack, Discord and to your custom HTTP hook when a XSS triggers. Compared, the original XSSHunter version only sends email notifications.

Twitterย  Mastodon

Requirements

  • A server with git, docker and docker compose plugin installed. I'm using Ubuntu 22.04 LTS, you can follow these instructions to get docker and docker compose plugin on it
  • Two hostnames(for example admin.example.com and xss.example.com) you pointed to your server's ip address
  • [Optional for multi user login] Google OAuth client id and client secret
  • [Optional for email notifications] Sendgrid API key
  • [Optional for cloud storage] Google Cloud Storage setup on the server

Setup

Login as root on your server and run these commands:

# clone the repository
git clone https://github.com/rs-loves-bugs/xsshunter
# enter the directory
cd xsshunter
# enabled the environment variables file
cp env.example .env

Edit the following variables in the .env file:

  • SESSION_SECRET_KEY: set this to a long random string
  • HOSTNAME: set this to the hostname you want the admin panel on(for example admin.example.com)
  • XSS_HOSTNAME: set this to the hostname you want the xss probe on(for example xss.example.com)
  • PANEL_USERNAME: set the admin panel username, it has to be an email address(if you setup and enable email notification they'll be sent there)
  • PANEL_PASSWORD: set the password for the admin panel username

Run this command to setup XSSHunter:

# build and start the containers
docker compose up -d

When this finishes you can login on https://admin.example.com with the panel username and password. Go ahead and setup notifications and other settings in Settings.

Have fun!

Upgrading

Upgrading should be as simple as running these 4 commands:

# change directory to xsshunter
cd xsshunter
# stop the containers
docker compose down
# pull the update from Github
git pull
# build and start the containers
docker compose up -d --build

Optional Setup

Everytime you edit the .env you will need to restart the containers:

# edit the .env file in your favorite editor
nano .env 
# stop the containers
docker compose down
# start the containers
docker compose up -d

If you want email notifications(Discord/Slack notifications are better, Sendgrid is not really worth the trouble):

  • EMAIL_NOTIFICATIONS_ENABLED: set this variable to true
  • EMAIL_FROM: set this to the email address you want to send notifications from(one of your Sendgrid sender identity)
  • SENDGRID_API_KEY: set this to your Sendgrid API key

If you want a multi panel users setup:

  • PANEL_USERPASS_LIST: set this variable like this ["[email protected]:somepass", "another_email@another_example.com:anotherpass"]

If you want a multi user setup with Google OAuth:

  • OAUTH_LOGIN: set this variable to true
  • CLIENT_ID: set this to your Google OAuth client id
  • CLIENT_SECRET: set this to your Google OAuth client secret
  • GMAIL_ACCOUNTS: set this to a list of Gmail addresses you allow to create accounts and login, you need at least one address here. If you want to allow anyone remove this variable from the .env file

If you already have a webserver running on the host where you want XSSHunter setup run this command to setup XSSHunter:

Run this command to setup XSSHunter:

# build and start the containers
docker compose up -d xsshunterexpress-db xsshunterexpress-service xsshunterexpress-trufflehog

You can use apache.conf or nginx.conf config files from this repository as guides to setup vhosts on your web server.

Credits

  • Truffle Security for keeping XSSHunter alive
  • @catmandx for sharing their experience trying to deploy
  • @mandatoryprogrammer for creating XSSHunter

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.