ezXSS

I am happy to announce the release of ezXSS v4.2, marking a significant milestone in XSS attacks and web security. Building on the foundation laid by v4.0's complete recoded codebase and v4.1's introduction of persistent XSS sessions with reverse proxy, v4.2 brings improvements in performance, compatibility, and usability.

A lot of changes and a lot of big improvements. Updating to this version is highly recommended as you might not receive all reports you should receive with your current version. All information about installing, updating and using ezXSS can be found on the GitHub wiki: https://github.com/ssl/ezXSS/wiki

What's New in v4.2?

• Enhanced Performance: Up to 80% improvement in speed across the dashboard and reports, thanks to optimized data handling, compressing data and query improvements.
• More Compatibility: Payloads now trigger across a wider range of browsers, including older versions (IE8+, Chrome 3+, Firefox 4+, Safari 4+).
• Simplified Docker Installation: Updated Docker support with automatic certificate installation simplifies setup.
• One-Click Update: Seamlessly upgrade to v4.2 from as far back as v2.0
• New Features: Introducing the ezXSS Payload Tester, customizing storing methods, a "shortboost!" button and much more.

Changelog Highlights:

• Major speed optimizations for dashboard and report interactions.
• Extended payload compatibility with older browsers and protocols.
• Docker enhancements for effortless installation and certification.
• New option to store screenshot either in the database or as file on the server
• New option to store big reports/session data as plaintext or compressed
• Comprehensive updates to user agent lists, data fetching via API, logging, and more data table integration.
• New payload features, including a copy-to-clipboard button and more example payloads.
• New theme, alongside other design and usability improvements across the platform.
• Significant bug fixes in report generation, cookie copying, persistent pages, queries and much more.

Given the substantial feature expansion from ezXSS v3.x, the transition might be quite extensive. All these functionalities are elaborated in our wiki. With over 3000 lines of code enhancements since v4.1, v4.2 is the definitive, production-ready package designed to test your web applications against XSS vulnerabilities.

Your feedback and contributions have been important in shaping ezXSS into the robust tool it is today. Thanks everyone for using ezXSS and please consider supporting the project by submitting new code, feature requests, issue reporting or by donating through Github Sponsors <3.

Introducing ezXSS v4.1, a extensive upgrade that takes the excellence of ezXSS v4.0 to the next level. With a plethora of features focusing on XSS payload persistence, reverse proxying, log storage, and much more, this version aims to enhance the experience and efficiency significantly. This version includes at least the following new features and improvements:

• Persistent Sessions. An XSS trigger can now persist in the browser for as long as the user's tab remains open, and even continue if the user navigates to other pages on the site.
• To accompany the persistent sessions, a Reverse Proxy has been added. This powerful feature enables you to fully utilize the compromised user's browser and session to send requests to the website, an invaluable tool for red teaming.
• The option to execute JavaScript live on all connected sessions, providing real-time control and manipulation.
• Logs have been added. If activated, specific user actions will be logged in the database, providing valuable insights.
• The admin dashboard introduces new kinds of statistics, allowing a broader and more detailed view of activities.
• A new sign up page has been added. Although disabled by default, once enabled, it allows anyone to create their own account/payload.
• Numerous bug fixes have been implemented, notably in areas like alerts, Docker, (mobile) designing and more.
• Various minor improvements have also been added, enhancing the overall system performance.

Given the substantial feature expansion from ezXSS v3.x, the transition might be quite extensive. To ensure a good understanding, we have elaborated on all these functionalities in our wiki. Visit github.com/ssl/ezXSS/wiki for a comprehensive guide to all the latest enhancements. Thanks everyone for using ezXSS and please consider supporting the project by submitting new code, feature requests, issue reporting or by donating through Github Sponsors <3.

I am excited to announce the release of ezXSS v4.0, a major update to the XSS tool. This version includes at least the following new features and improvements:

• Completely re-coded, resulting in clean, readable code that is easy to understand and maintain
• Multi-user setup that allows for roles and payload separation
• Alerts via Slack and Discord in addition to existing support for email and Telegram
• Redesigned pages and fixed styling bugs
• More statistics on the dashboards
• Improved reports view and search
• Ability to render collected DOM pages
• Lots of smaller bug fixes
• and much much more amazing things!

It is highly recommended to update to ezXSS v4.0, as version 3.x will no longer be supported due to its old codebase. If you are currently running an older version of ezXSS, please make sure to first update to version >3.10 before upgrading to v4.0. Also, after updating, the default username will be "admin".

Thank you for your continued support and I hope you enjoy using the new and improved ezXSS v4.0!

The official release of ezXSS v3.10. This update brings some great new features and fixes.

What is new in ezXSS v3.10?

• Added Telegram alerts
• Added ability to send alerts to custom endpoint
• Ability to customize admin (manage) link
• Extract additional defined pages
• Allow wildcard in blocked and whitelist domains
• Faster user experience because of query improvements
• Updated the screenshot html2canvas library
• Updated the styling and placement of some pages
• Improved Docker installation and added first steps to Docker Hub (@Flightkick)
• Fixed some bugs

ezXSS v3.9 is a big update in terms of performance, styling and functionality. In case you working with company's that don't like you to collect all information that ezXSS can collect, you can now select what you want to collect and what not.

Also, there is a new theme called 'Green' which gives a new experience to ezXSS. I endorse people to create their own themes and create a pull request for it! (Have a look and copy at green.css).

• New theme and ability to switch between themes
• Ability to select what to collect on payload
• Big (SQL) performance enhancement to all pages
• Cleaned up some code
• CSS stylesheet is now minified and self-hosted
• Cleaned up some styling
• Added timezone dropdown in settings
• Fixed some bugs

This version brings some small but handy features and bug fixes.

• Added 'Copy cookies as JSON' button
• Added nginx rewrite example file
• Added ability to share reports via email #62
• Some small styling updates #63
• Fixed updating not working in <3.5

ezXSS v3.7 makes it possible to run ezXSS in Docker, and fixes some small things.
If updating from 3.6 to 3.7; remove config.ini and rename the new .env.example to .env.

• Added Docker support thanks to @GlitchWitchSec
• Put local & session storage in textbox
• New update method that is future proof
• Fixed some bugs
• Renamed config.ini to .env

Thanks for using ezXSS!

Thanks for using ezXSS! 3.6 brings some new features and bug fixes.

In order to update ezXSS 3.x to 3.6 you need to rename config.ini.example to config.ini and fill in your database information. Your database information is no longer stored in the Database.php.

Changelog:

Fixed #56, bug on deleting reports on page 2 or up
Fixed and added #55, custom send mail from
Added config file
Renamed some things
Fixed some other small bugs

v3.5 makes it possible to use multiple payload (links). Add a custom string after your payload link to distinguish insert points.

If you need a complete custom script you can now add a javascript file to the templates folder and ezXSS will serve this. See /custom (/templates/custom.js) for an example.

• Fixed a bug in settings #53
• Added version check and updater
• Added custom payload link
• Added custom payload js file
• Fixed some bugs

ezXSS 3.4 makes it possible to select multiple reports and delete or archive them. It also adds the ability to share, delete or archive a report within the report page.

• Added Feature request: Add ability to share, delete, archive report from inside the actual report feature #40
• Added Feature request: Make it easier to delete more than 1 report at a time feature #39
• Fixed some other things

I will try to add more small feature requests before a possible 4.0 release. If you have any let me know. Thanks again for using ezXSS!

ezXSS 3.3 is a small update before the 4.0 release. I've refactored some code and added a kill switch.

It would probably still take some time before 4.0 will be released. More 3.x releases can be expected.

Thanks for using ezXSS!

ezXSS 3.2 is now available! This release fixes some bugs and security issues. ezXSS 3.1 and 3.0 are affected by these bugs, which are fixed in version 3.2. You should update to prevent information disclosure.

Changelog:

• Fixed search function
• Support chinese
• Fixed 2FA for new installations
• Fixed share report bug/security issue

Thanks to @54Pany and @geeknik

Quick update.

3.1 Changelog:

• Checks if you are on PHP >7.1
• Fixed an issue where blocked domains didn't properly work
• Fixed 2FA login
• Fixed a possible memory limit issue.

Will be working on v4.0 soon with a new codebase. Open for ideas and feedback.

Thanks for using ezXSS. After I quit working on this project for more than a year, the new release is here.

Update log ezXSS 3.0:

• Recoded the entire application
• Fixed & cleaned some styling issues
• Added back screenshots and option to disable
• Added Local Storage and Session Storage in payload
• Added direct share link for reports
• And many more small features and improvements

If you have any feedback, suggestions or found a bug please let me know.

Execute this SQL to update from 2.x to 3.0:

INSERT INTO `settings` (`id`, `setting`, `value`) VALUES (NULL, 'screenshot', '0');

ALTER TABLE `reports` ADD `screenshot` LONGTEXT NULL DEFAULT NULL AFTER `archive`, ADD `localstorage` LONGTEXT NULL DEFAULT NULL AFTER `archive`, ADD `sessionstorage` LONGTEXT NULL DEFAULT NULL AFTER `archive`, ADD `shareid` VARCHAR(50) NOT NULL AFTER `id`;

UPDATE `reports` SET `shareid` = concat(
    lpad(conv(floor(rand()*pow(36,8)), 10, 36), 8, 0),
    lpad(conv(floor(rand()*pow(36,8)), 10, 36), 8, 0),
    lpad(conv(floor(rand()*pow(36,8)), 10, 36), 8, 0),
    lpad(conv(floor(rand()*pow(36,8)), 10, 36), 8, 0)
);

Hey! Because of massive interests in ezXSS, I decided to release a small update.

• Fixed an issue with reports not showing up
  • If you still have this issue, please check https://github.com/ssl/ezXSS/issues/10
• Fixed an small parsing issue

I am currently busy with ezXSS 3.0, stay tuned!

The great release with great new functions. It is here.

This version contains:

• Fixed all small bugs and typos I could find.
• You are now able to block a domain
• Added a notepad to the dashboard. In case you need to save some info!
• Share page is removed and now integrated on the reports page with a modal.
• Archive reports that you don't want to see, but also don't want to delete.
• Search page is removed and now fully integrated on the reports page.
• Searching is now optimized, find things even better.
• Added more payloads.
• Added the setting to change your domain name for payloads.
• Added API key. The API is not done, so you can not use it yet.

If you find any bugs or have a great idea, let me know! Next version with API and a new feature you would love (suggested by @dev) coming soon!

ezXSS is a bit optimized. Some templates are removed and integrated into the framework.

• Screenshots removed
• Fixed an share issue

Screenshots are temporary removed. I noticed that on some sites the callback was not called because of an issue with making the screenshot. Will try to fix this soon.

Please leave any positive or negative feedback, it helps!

The release of the first official ezXSS! Welcome to 2.0.

This version has a lot of new features and fixes, some of the main things:

• A total new design, hopefully you like it :-)
• The email design is also changed
• Installation is now easier
• Searching on the reports page
• The way you delete reports is changed, and screenshots of reports are now also deleted
• Removed username from logging in (password only)
• Option to add Google's 2FA to the login
• New favicon
• A lot of small features added, updated or deleted
• Cleaned up allot of code again

Please leave any positive or negative feedback, it helps!

It is here, ezXSS version 1.6

What is fixed?

• Fixed an HTTPS issue for some servers
• Fixed/removed the index.js for some servers
• Cleaned some CSS
• Secret key is removed from sharing (I even found out you could bypass the secret key)
• Filter tab removed to dashboard
• Changed some design things in "All reports" and "Search"

What is added?

• Custom JavaScript is here! Visit the payload page
• Check more statics on the dashboard
• Download latest ezXSS version from the dashboard

The next version will include even more great functions! Including ez installation and updating.

Here it is: ezXSS v1.5

What is changed?

• Cleaned up some code
• Now you can delete a report
• Share a report easier with auto fill
• Fixed an password changing issue where you could change the password without an correct current password
• New CDN for jquery and bootstrap
• Some small fixes

Soon I will release v1.6 with allot of new features.