Wp Header Logo

Toxssin – An XSS Exploitation Command-Line Interface And Payload Generator

Disclaimer: The project is quite fresh and has not been widely tested.

By default, toxssin intercepts:

Most importantly, toxssin:

To start toxssin.py, you will need to supply ssl certificate and private key files.

If you don’t own a domain with a trusted certificate, you can issue and use self-signed certificates with the following command (although this won’t take you far):

In my experience, there are 4 major obstacles when it comes to Cross-Site Scripting attacks attempting to include external JS scripts:

Note: The “Mixed Content” error can of course occur when the target website is hosted via http and the JavaScript payload via https. This limits the scope of toxssin to https only webistes, as (by default) toxssin is started with ssl only.

After you purchase a domain name, you can use certbot (Let’s Encrypt) to get a trusted certificate in 5 minutes or less:

Tip: Don’t install and run certbot on your own, you might get unexpected errors. Stick with the instructions.

2022-06-19 – Added the exec prompt command (you can now execute custom JS scripts against a session).
2022-06-23 – I added two simple, dirty scripts as templates for testing the exec prompt command. I also fixed the cmd prompt’s backward history access and made some improvements.

The idea is to make it sharper, more reliable and expand its capabilities. Currently, i’m working on improving file captures.


Leave a Comment

Leave a Reply

Your email address will not be published.

A Detailed Guide on Medusa

Process Herpaderping (Mitre:T1055)

BeatRev – POC For Frustrating/Defeating Malware Analysts

11 Best Photo Scanner Apps For Android and iPhone in 2020