Create, encode and deploy complex JS payloads.
This tool gathers some of the most reliable and useful Javascript payloads that can be used in client-side attacks or while testing security posture of a web application. They can be adapted and modified to your specific needs.
All of the required deps can be easily installed via command:
pip install -r requirements.txt
Choose from several code templates to grab keystrokes, execute system commands and exfiltrate important data from target host. Save generated payload to a file or clipboard for further use.
Specify encoding schemes, custom script tags, format conversions and polyglot executors using intuitive command-line interface.
Msfvenom-like approach for specifying options enables you to quickly tweak any payload. Every aspect of the payload's logic can be modified, allowing unique behaviour depending on what system you target.
Most payloads come with a built-in PHP handler that can be launched after generating code template. It listens for status messages and data harvested by the launched payload.
More info about poXSSon and it's usage can be found in our blogpost: JS Payloads in 2021.
Contributions are always welcome!