XSShell - A XSS Reverse Shell Framework

XSShell is a cross-site-scripting reverse shell... Okay, well maybe it's not a true reverse shell, but it will allow you to interact in real time with an XSS victim's browser.

XSShell also comes with a number of premade XSS payloads to use:

  • \alert - send a js alert message
  • \cs - get cookies and any updates to the cookies
  • \gi - download all images on the page
  • \kl - key logger
  • \ll - list all links on the page
  • \src - download the current page source
  • \pfl - show the user a modal and prompt them to login
  • \xhr - make xhr requests in the context of the victim's browser
To install xsshell run:
go get github.com/raz-varren/xsshell
go install github.com/raz-varren/xsshell
The xsshell command:
xsshell -h
Usage of xsshell:
-cert string
ssl cert file
-host string
websocket listen address
-key string ssl key file
-log string
specify a log file to log all console communication
-path string
websocket connection path (default "/s")
-port string
websocket listen port (default "8234")
-servdir string
specify a directory to serve files from. a file server will not be started if no directory is specified
-servpath string
specify the base url path that you want to serve files from (default "/static/")
-wrkdir string
working directory that will be used as the relative root path for any commands requiring user provided file paths (default "./")