Test website security with ease.
xss_bomb is a backend made to notify you when your xss payload is executed on a remote target and you do not have the luxury of directly knowing when the payload is ran on a target device. You can download the app for free in the release page. You can also contribute, if you wish to learn more about this app and it's api navigate to the wiki. DO NOT USE THIS SERVICE FOR ILLEGAL PURPOSES.
For the server you can create your own instance and host it online using docker. It can be local or private / public if you decide to share the link or not you can edit the public-instance.json file and send a pull request if you wish to be featured as a server on the list during startup of the app :)
The API documentation is available inside of the wiki and on postman here
xss_bomb/
├── app/ # The source code of the front-end app
│ └── [React Native Source Code]
├── assets/ # Image files for the logo and such
│ └── [Images]
├── backend/ # The source code of the back-end
│ └── [Node Js Source Code]
├── data/ # Folder containing the main database
│ └── [MongoDB Raw Files]
├── redis/ # Folder containing the database for the refresh tokens
│ └── [Redis Raw Files]
├── logs/ # Folder containing the log file with every requests
│ └── xss_bomb.log
├── docker-compose.yml # The Docker file used to launch the database and back-end
├── LICENSE
├── public_instances.json # The file with approved servers that can be used by the front-end
└── README.md
If you dont want someone seeing your requests and data do not use a public instance I host my personnal instance on xss.leosmith.wtf it does not allow you to create accounts since I don't wan't to be seeing your bits on my db instance but you can publish your own instance publicly if you want and I'll add them to the public list if you message me.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent