TOXSSIN is an open-source penetration testing tool that automates the process of exploiting Cross-Site Scripting (XSS) vulnerabilities. It consists of an https server that works as an interpreter for the traffic generated by the malicious JavaScript payload that powers this tool (toxin.js).
https://github.com/t3l3machus/toxssin
Capabilities
By default, toxssin’s JavaScript poison automatically spreads across the elements and information of a webpage, abusing the XMLHttpRequest object to intercept:
Most importantly, toxssin:
https://github.com/t3l3machus/toxssin
Capabilities
By default, toxssin’s JavaScript poison automatically spreads across the elements and information of a webpage, abusing the XMLHttpRequest object to intercept:
- cookies (if HttpOnly not present),
- keystrokes (technically, an active keylogger),
- paste events,
- input change events,
- file selections,
- form submissions,
- server responses (to form submissions or clicking hyperlinks that target different pages and not internal parts of the same page),
- table data (static as well as updates on tables after a page has finished loading)
Most importantly, toxssin:
- attempts to create XSS persistence while the user browses the website by intercepting http requests & responses and re-writing the document, creating the illusion of navigating when actually the document’s location never changes,
- supports session management (you can use it to exploit multiple targets at the same time e.g., by running an XSS-based phishing campaign or exploiting stored XSS),
- supports custom JS script execution against sessions (after a browser gets hooked, you can run custom JS scripts against it),
- automatically logs every session.