Disclaimer: The project is quite fresh and has not been widely tested.
Find screenshots here.
By default, toxssin intercepts:
- cookies (if HttpOnly not present),
- paste events,
- input change events,
- file selections,
- form submissions,
- server responses,
- table data (static as well as updates),
Most importantly, toxssin:
- attempts to maintain XSS persistence while the user browses the website by intercepting http requests & responses and re-writing the document,
- supports session management, meaning that, you can use it to exploit reflected as well as stored XSS,
- supports custom JS script execution against sessions,
- automatically logs every session.
Installation & Usage
git clone https://github.com/t3l3machus/toxssin
pip3 install -r requirements.txt
To start toxssin.py, you will need to supply ssl certificate and private key files.
If you don’t own a domain with a trusted certificate, you can issue and use self-signed certificates with the following command (although this won’t take you far):
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
It is strongly recommended to run toxssin with a trusted certificate (see How to get a Valid Certificate in this document). That said, you can start the toxssin server like this:
# python3 toxssin.py -u https://your.domain.com -c /your/certificate.pem -k /your/privkey.pem
Visit the project’s wiki for additional information.
XSS Exploitation Obstacles
In my experience, there are 4 major obstacles when it comes to Cross-Site Scripting attacks attempting to include external JS scripts:
- the “NET::ERR_CERT_AUTHORITY_INVALID” error, which indicates that the server’s certificate is untrusted / expired and can be bypassed by using a certificate issued by a trusted Authority.
- Cross-origin resource sharing (CORS), which is handled appropriately by the toxssin server.
Content-Security-Policyheader with the
script-srcset to specific domain(s) only will block scripts with cross-domain src from loading. Toxssin relies on the
eval()function to deliver its poison, so, if the website has a CSP and the
unsafe-evalsource expression is not specified in the
script-srcdirective, the attack will most likely fail (i’m working on a second poison delivery method to work around this).
How to get a Valid Certificate
First, you need to own a domain name. The fastest and most economic way to get one (in my knowledge) is via a cheap domain registrar service (e.g. https://www.namecheap.com/). Search for a random string domain name (e.g. “fvcm98duf”) and check the less popular TLDs, like .xyz, as they will probably cost around 3$ per year.
After you purchase a domain name, you can use certbot (Let’s Encrypt) to get a trusted certificate in 5 minutes or less:
- Append an A record to your Domain’s DNS settings so that it points to your server ip,
- Follow certbots official instructions.
Tip: Don’t install and run certbot on your own, you might get unexpected errors. Stick with the instructions.
2022-06-19 – Added the exec prompt command (you can now execute custom JS scripts against a session).
2022-06-23 – I added two simple, dirty scripts as templates for testing the exec prompt command. I also fixed the cmd prompt’s backward history access and made some improvements.
The idea is to make it sharper, more reliable and expand its capabilities. Currently, i’m working on improving file captures.