From b81b0fd18d98d918c4a47f34caa77979c14ebfa2 Mon Sep 17 00:00:00 2001 From: Khaled Mohamed <46958133+xElkomy@users.noreply.github.com> Date: Sun, 5 Oct 2025 07:29:19 +0300 Subject: [PATCH] =?UTF-8?q?feat:=20add=20XSSHunter=20blueprint=20with=20Do?= =?UTF-8?q?cker=20Compose=20setup=20and=20configura=E2=80=A6=20(#287)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: add XSSHunter blueprint with Docker Compose setup and configuration templates * Change port to expose to work with Traefik * feat: add XSS Hunter blueprint configuration with environment variables and domain settings, don't use special characters * - if you will use special characters so add the password in a single quote to avoid the conflicts * Update blueprints/xsshunter/docker-compose.yml * Update blueprints/xsshunter/docker-compose.yml * Update blueprints/xsshunter/docker-compose.yml * Update blueprints/xsshunter/docker-compose.yml * Update blueprints/xsshunter/docker-compose.yml * Update blueprints/xsshunter/docker-compose.yml * Update blueprints/xsshunter/docker-compose.yml * Update blueprints/xsshunter/docker-compose.yml * Update docker-compose.yml Fix Network defined and version obsolete warning * chore(blueprints/xsshunter): adjust template and compose for Dokploy guidelines * chore: make service ports configurable via environment variables * Update meta.json * Update meta.json --------- Co-authored-by: Khaled Mohamed Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com> --- blueprints/xsshunter/docker-compose.yml | 87 ++++++++++++++++++++++++ blueprints/xsshunter/template.toml | 71 +++++++++++++++++++ blueprints/xsshunter/xsshunter.png | Bin 0 -> 1699 bytes meta.json | 17 +++++ 4 files changed, 175 insertions(+) create mode 100644 blueprints/xsshunter/docker-compose.yml create mode 100644 blueprints/xsshunter/template.toml create mode 100644 blueprints/xsshunter/xsshunter.png diff --git a/blueprints/xsshunter/docker-compose.yml b/blueprints/xsshunter/docker-compose.yml new file mode 100644 index 00000000..93763cf1 --- /dev/null +++ b/blueprints/xsshunter/docker-compose.yml @@ -0,0 +1,87 @@ +#version: '3.8' + +services: + xsshunterexpress-db: + image: postgres:15-alpine + restart: unless-stopped + environment: + POSTGRES_DB: ${POSTGRES_DB:-xsshunterexpress} + POSTGRES_USER: ${POSTGRES_USER:-xsshunterexpress} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-xsshunterexpress} + PGDATA: /var/lib/postgresql/data/pgdata + POSTGRES_HOST_AUTH_METHOD: trust + healthcheck: + test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-xsshunterexpress}"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 30s + volumes: + - postgres_data:/var/lib/postgresql/data/pgdata + + xsshunterexpress-service: + build: https://github.com/rs-loves-bugs/xsshunter.git + restart: unless-stopped + environment: + # Core Configuration + SESSION_SECRET_KEY: ${SESSION_SECRET_KEY} + HOSTNAME: ${HOSTNAME} + XSS_HOSTNAME: ${XSS_HOSTNAME} + + # Panel Configuration + PANEL_LOGIN: ${PANEL_LOGIN:-true} + PANEL_USERNAME: ${PANEL_USERNAME} + PANEL_PASSWORD: ${PANEL_PASSWORD} + ALLOW_EMPTY_USERPATH: ${ALLOW_EMPTY_USERPATH:-true} + + # OAuth Configuration + OAUTH_LOGIN: ${OAUTH_LOGIN:-false} + CLIENT_ID: ${CLIENT_ID:-} + CLIENT_SECRET: ${CLIENT_SECRET:-} + GMAIL_ACCOUNTS: ${GMAIL_ACCOUNTS:-} + + # Email Configuration + EMAIL_NOTIFICATIONS_ENABLED: ${EMAIL_NOTIFICATIONS_ENABLED:-false} + EMAIL_FROM: ${EMAIL_FROM:-} + SENDGRID_API_KEY: ${SENDGRID_API_KEY:-} + SENDGRID_UNSUBSRIBE_GROUP_ID: ${SENDGRID_UNSUBSRIBE_GROUP_ID:-} + + # Database Configuration + DATABASE_HOST: xsshunterexpress-db + POSTGRES_DB: ${POSTGRES_DB:-xsshunterexpress} + POSTGRES_USER: ${POSTGRES_USER:-xsshunterexpress} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-xsshunterexpress} + + # Application Configuration + NODE_ENV: ${NODE_ENV:-production} + PORT: ${PORT} + CONTROL_PANEL_ENABLED: ${CONTROL_PANEL_ENABLED:-true} + SCREENSHOTS_DIR: /app/payload-fire-images + TRUFFLEHOG_URL: http://${TRUFFLEHOG_HOST:-xsshunterexpress-trufflehog}:${TRUFFLEHOG_PORT:-8000}/trufflehog + + # Optional Services + SENTRY_DSN: ${SENTRY_DSN:-} + SENTRY_ENABLED: ${SENTRY_ENABLED:-false} + USE_CLOUD_STORAGE: ${USE_CLOUD_STORAGE:-false} + BUCKET_NAME: ${BUCKET_NAME:-} + expose: + - ${PORT:-8080} + volumes: + - payload_images:/app/payload-fire-images + depends_on: + xsshunterexpress-db: + condition: service_healthy + + xsshunterexpress-trufflehog: + build: + context: https://github.com/rs-loves-bugs/xsshunter.git + dockerfile: Dockerfile.trufflehog + restart: unless-stopped + expose: + - ${TRUFFLEHOG_PORT:-8000} + +volumes: + postgres_data: + driver: local + payload_images: + driver: local diff --git a/blueprints/xsshunter/template.toml b/blueprints/xsshunter/template.toml new file mode 100644 index 00000000..70bb0a6f --- /dev/null +++ b/blueprints/xsshunter/template.toml @@ -0,0 +1,71 @@ +[variables] +admin_domain = "${domain}" +xss_domain = "${domain}" +session_secret = "${base64:64}" +admin_password = "${password:32}" +db_password = "${password:16}" +postgres_user = "xsshunterexpress" +postgres_db = "xsshunterexpress" + +[config] +[[config.domains]] +serviceName = "xsshunterexpress-service" +port = 8080 +host = "${admin_domain}" + +[[config.domains]] +serviceName = "xsshunterexpress-service" +port = 8080 +host = "xss.${admin_domain}" + +[config.env] +# Core Configuration +SESSION_SECRET_KEY = "${session_secret}" +HOSTNAME = "${admin_domain}" +XSS_HOSTNAME = "xss.${admin_domain}" + +# Panel Configuration +PANEL_LOGIN = "true" +PANEL_USERNAME = "admin@${admin_domain}" +PANEL_PASSWORD = '${admin_password}' # [ use single quote to avoid the problem] just to let you know takecare of the special characters, it will make your password invalid, so make a strong password without special characters +ALLOW_EMPTY_USERPATH = "true" + +# OAuth Configuration (disabled by default) +OAUTH_LOGIN = "false" +CLIENT_ID = "" +CLIENT_SECRET = "" +GMAIL_ACCOUNTS = "" + +# Email Configuration (disabled by default) +EMAIL_NOTIFICATIONS_ENABLED = "false" +EMAIL_FROM = "" +SENDGRID_API_KEY = "" +SENDGRID_UNSUBSRIBE_GROUP_ID = "" + +# Database Configuration +DATABASE_HOST = "xsshunterexpress-db" +POSTGRES_DB = "${postgres_db}" +POSTGRES_USER = "${postgres_user}" +POSTGRES_PASSWORD = "${db_password}" + +# Application Configuration +NODE_ENV = "production" +PORT = "8080" +CONTROL_PANEL_ENABLED = "true" +SCREENSHOTS_DIR = "/app/payload-fire-images" +TRUFFLEHOG_URL = "http://${TRUFFLEHOG_HOST}:${TRUFFLEHOG_PORT}/trufflehog" + +# Port Configuration +APP_PORT = "8080" +TRUFFLEHOG_HOST = "xsshunterexpress-trufflehog" +TRUFFLEHOG_PORT = "8000" + +# Optional Services (disabled by default) +SENTRY_DSN = "" +SENTRY_ENABLED = "false" +USE_CLOUD_STORAGE = "false" +BUCKET_NAME = "" + +[[config.mounts]] +filePath = "./payload-fire-images" +content = "Directory for storing XSS payload screenshots and collected data" diff --git a/blueprints/xsshunter/xsshunter.png b/blueprints/xsshunter/xsshunter.png new file mode 100644 index 0000000000000000000000000000000000000000..ed14d7d01d55b0e1c3ecb3c319ffbab6c4e59d0d GIT binary patch literal 1699 zcmYjQdpJ~S96k)mj9enO41+L<5=L6>K8Ded`=xpiDMBTMFe(~KiZ0UCmgLsD)YNXZ zM%x9o*-dFHHhK`{+M?*T&75<7`+e$zgA+tM;u>OuYm5^_EW|)yf^jSlA{T>@gGZbb zY<7V(Tktf4NHm3q+rCuLEY5~XML4YjQ6`XJ0LN4zPaU#mLnw!i*QIxBOb0}MmO!)<`egFo z7A-BQLRNu_bJ_Cx22WFR0VG=2W>BRluRsY#?b7 zRb)tKa$$=-bwVE-aARXNJ{w1NWkU@iZz9MW1gx=xT0-7TfY1o-JS`zmMzWp(tMp;D z9-V4KUY-eYJlNzwp4X<2sM5JCs3WLT`rt7ayyrr=F`cXlfd=4b4qFz}!XoB_lvq>^>0 z{VcLZnJ$_MYv<63TJqZp_;2AG(+5qUT7gc}q>dXxg(7`)=2&)m1UeGZ?LmIQL?`2f z`oF7{9=;Azo8cl=QB-g;I^Iup9JLSl`E;CK#FyoHF#P^rv}MYN_BxvO>6mblh^`it@EZBM zww_xwar$m=*M_&1P42s|-nd^q_*@~iD52tPYP54mW#p!p4`_Kyhiqcx!mCLe`Iwj{ zWnX?cG}tG)==EvrgY5FeWW&Jgw*1!WtnPWYO)CgO@kcKKKg78;I?8p%^2vhoFCv3& z3KRPWy-(RT)wmXB#>O0c{fc{*DfNgs;ikLnOm1+tG~Va(kffok*R6A~Yh_BoK>FBI z)f3GUamx|gW2q_u{M)nAly`XTJLn>2idTty8t*nY?-|M&&@9Z^v!r$9MJ0X1%Inu3 z1?cEII6PnsrnAZZiI}>wq0tUqN%kwjVvE1oQOYe5%Wk&~!eWXU|u5+A^ zKj<_Ngqze%u3wk4pzl=Spm=`g==qTcHKGsknN^n@gSh#%cXh^kZ)vNo8MkTYByk!W zql%6e5y4mVY8%(A;2W&JDcQSiufDU6*!o=0&8ZpXjrP12hc^uk|d%1mEXr&!^AyOw+GooywzchgP6 z>YNJ6r9+Rb!=kjA1CGAFq3LHccL90eak{^87i;Q|!1vZB8fyzJZmf5e^Fn*tdUuHE zd!L8X{n=ftPoCncl!8TEX~TOn{yO4X-|xkD^NwW7K7DLIRJXd(wEx+BwW$ksT%FHj z4Ike%)lqW)Zgo0&Que%#6W(2NEmX`@x_FXdzUlEf;ho6R&O6X}%llN~T4@#|zBMq8 zWos-7dE1pD+uH4YJ|{X)oytm{Z13$6UixC)S$3eRa+P{@-&8S!qb&c#{%(8!Xz#6j z`;D@9)o+rvyRUwC)tSrEJ(EM$K74a^_>PF0T~5S!xRxBscU-oTDN}A!4R4T5Ex3~7 z4m2zsebJHlc<=F%R6RpU*R`ba{0ytZ)I_OW^o~+~{SU05BJI8>+6P|#n%cT=W!$+I zzti>`!=#0VESIo0&7l`Jv*b6V!}V7FCHj>bdNT;^jPS@Rz3YFXlSX)X_z5I#Q91ts Df6rh5 literal 0 HcmV?d00001 diff --git a/meta.json b/meta.json index 095d350f..540e970e 100644 --- a/meta.json +++ b/meta.json @@ -5253,6 +5253,23 @@ "cms" ] }, + { + "id": "xsshunter", + "name": "XSSHunter", + "version": "latest", + "description": "XSSHunter is an open-source platform designed to identify and exploit blind Cross-Site Scripting (XSS) vulnerabilities. It provides security researchers, bug bounty hunters, and penetration testers with a comprehensive toolkit for detecting XSS flaws that are otherwise difficult to discover through traditional testing methods.", + "logo": "xsshunter.png", + "links": { + "github": "https://github.com/rs-loves-bugs/xsshunter", + "website": "https://github.com/rs-loves-bugs/xsshunter", + "docs": "https://github.com/rs-loves-bugs/xsshunter#requirements" + }, + "tags": [ + "pentest", + "xsshunter", + "bugbounty" + ] + }, { "id": "yamtrack", "name": "Yamtrack",