XSS Hunter is a tool for finding cross-site scripting (XSS) vulnerabilities, including the elusive blind XSS. A web version of the tool is available at https://xsshunter.com but as an employee or researcher you may be worried about sending potentially sensitive information to a third party. Luckily the author @IAmMandatory released code with accompanying automation to make it easy to build your own instance of XSS Hunter from GitHub. The author also released a post on how to build that instance here, but I wanted to make a follow-up post which goes into further detail and uses an AWS EC2 instance for the server. AWS provides the ability to easily launch an EC2 instance, implement IP restrictions, and can be free.
You'll Need...
- AWS account to launch an EC2 instance
- Short Domain Name with the ability to configure DNS records
- Mailgun account to send E-mail alerts with XSS Hunter
- SSL Certificate (we will generate later)
Step 1: Purchase and Configure Domain
A domain is the only cost associated with this post if you don’t already have one. You want a short domain, two or three characters, to give you a better chance of submitting your payload where character limit restrictions exist. I used Namecheap to search for and purchase my domain which ended up being 3 characters with a 2-character length TLD for about $20/year. In Namecheap configure the advanced DNS setting to the following, some of the data required is obtained from Step 2:
You can use https://www.whatsmydns.net to check DNS propagation in real time.Step 2: Create MailGun Account
Sign up for a Mailgun account and add a new domain.
After adding the domain, you can access all of the information for it. Later during the setup of XSS Hunter you will be asked for the Mailgun API key. Additionally, in your Mailgun account you can access logs for auditing or to debug any issues with XSS Hunter’s alerts.
Step 3: Generate SSL Certificates
XSS Hunter requires SSL to be configured but we can accomplish this for free. Visit https://www.sslforfree.com/ for Let’s Encrypt CA certificates. Enter your domain with a prepended asterisk to ensure it’s a wildcard cert, such as *.tst.co, a version of your domain with "www" will be appended automatically, now click “Create Free SSL Certificate.” Follow the instructions to perform manual verification using TXT records. To do this go back to the Advanced DNS page in Namecheap and create two TXT records, one with the host of _acme-challenge and one with the host of _acme-challenge.www. You don’t need to include your domain name in these as Namecheap automatically appends it. Now for each host’s value, enter the corresponding unique string listed on the sslforfree page. Wait for propagation – usually it happens quickly, if not, ensure you have the proper TXT records configured. Now click the button “Download SSL Certificate.”
Success!
Step 4: Launch AWS Instance
Login to your AWS account, navigate to EC2 Dashboard, and select “Launch Instance”.
For the AMI, choose “Ubuntu Server 16.04 LTS” which is included in the free tier.
For the instance type choose the free tier eligible t2.micro with 1GB of memory and 8GB SSD Storage.
Lastly, modify your security settings by using an existing security group or creating a new security group. Here is where you can easily apply IP restrictions for your management service (port 22) and even on your web ports if you know for sure the IP ranges which could potentially call back with your triggered XSS payload.Before launching the instance, make sure you specify an existing key pair or create a new key pair to access the server.
Step 5: Configure Ubuntu and XSS Hunter
First, let’s get our SSL certs onto Ubuntu, to do this we can use SCP with the following command to put them in the /tmp folder:scp -i <key.pem> <ssl .crt and .key files> ubuntu@<AMI public dns>:/tmp/
Now access the server via SSH with the following command:
ssh -i <key.pem> ubuntu@<AMI public dns>
- apt update
- apt upgrade
- apt-get install python2.7
- ln -s /usr/bin/python2.7 /usr/bin/python
- apt-get install python-pip
- pip install pyyaml
- apt-get install nginx
- apt-get install postgresql postgresql-contrib
- sudo -i -u postgres
- psql template1
- CREATE USER xsshunter WITH PASSWORD 'EXAMPLE_PASSWORD';
- CREATE DATABASE xsshunter;
- \q
- exit
- git clone https://github.com/mystech7/xsshunter
- cd xsshunter
- ./generate_config.py
- sudo mv default /etc/nginx/sites-enabled/default
- sudo mkdir /etc/nginx/ssl
- sudo cp /tmp/{<domain.key>,<domain.crt>} /etc/nginx/ssl/
- sudo service nginx restart
- sudo apt-get install python-virtualenv python-dev libpq-dev libffi-dev
- tmux
- cd xsshunter/api/
- virtualenv env
- . env/bin/activate
- pip install -r requirements.txt
- ./apiserver.py
- ctrl+b, followed by c
- cd xsshunter/gui/
- virtualenv env
- . env/bin/activate
- pip install -r requirements.txt
- ./guiserver.py
- ctrl+b, followed by d
tmux list-sessions
and tmux attach -t <session#>
.Done! Now we have our own XSS Hunter server. You can create users with their own subdomains (e.g. a.tst.co), correctly receive payload triggers, and send e-mail alerts.