Skip to main content

Introduction

Welcome to the Bxss.io documentation.

Bxss.io is the world's safest Blind XSS platform. It is fully open-source and features a unique Bring Your Own Database (BYOD) architecture, ensuring your sensitive vulnerability data remains completely private and under your control.

Key Features

  1. Open Source: Verify the code yourself or Self host.
  2. Privacy First: We don't store your findings. You do.
  3. BYOD Support: Connect your own Cloudflare D1 database.
  4. Modern Dashboard: A clean, efficient interface for all your Blind XSS detection needs.

Why Bxss.io?

  1. PRIVACY: Your vulnerability data is yours. We don't store any vulnerability data. You can verify this by checking our code.

  2. OPEN SOURCE: Bxss.io is fully open source. You can verify the code yourself or self host it.

  3. User Experience: Bxss.io is designed to to give you the best user interface and user experience. It is easy to use and understand. (The setup may take a little time compared to other tools where no setup is required, but it's worth it for the privacy it provides.)

Fields supported

Target Context

  1. Page Title - The title of the page where the payload executed.
  2. URL - The URL of the page where the payload executed.
  3. Pathname - The pathname of the page where the payload executed.
  4. Page Parameters - The parameters of the page where the payload executed.
  5. Screenshot - The screenshot of the page where the payload executed.
  6. Entire DOM - The entire DOM of the page where the payload executed.

Script Context

  1. Tracking Signature - The tracking signature of the payload basically what you put in the meta parameter. Ex: https://bxss.win/username?meta=tracking-signature
  2. Script Parameters - The parameters of the script. Ex: https://bxss.win/username?meta=tracking-signature&param1=value1&param2=value2
  3. In Iframe - Whether the payload was executed in an iframe.

User Context

  1. Ip Address - The ip address of the user.
  2. User Agent - The user agent of the user.
  3. Referrer - The referrer of the user.
  4. Origin - The origin of the user.
  5. Cookies - The cookies of the user.
  6. Local Storage - The local storage of the user.
  7. Session Storage - The session storage of the user.

How it works?

Bxss.io works by injecting a small piece of JavaScript code into the web application. This code is then executed by the browser when a user visits the page. The code then sends a request to the Bxss.io server, which then stores the request in YOUR database (which we don't have any control over). We than send a notification to the user via the configured notification channels, and the user can view the details of the execution in the Bxss.io dashboard.

Getting Started

To get started with Bxss.io, you can follow the instructions in the Getting Started section to set up your database and configure alerts.

Self Host

To get started with Bxss.io, you can deploy it on your own server. You can follow the instructions in the Self Host section to deploy Bxss.io on your own server.

License

Bxss.io is licensed under the MIT License.