-
-
Notifications
You must be signed in to change notification settings - Fork 180
Home
At the moment, the tool comes with a small number of optional parameters set by default to values that promote a smooth and reliable execution flow. The verbosity can also be altered while the tool is running (via command prompt). I won't repeat here the information that you can get from the help message of the tool (-h). I have though a few noteworthy remarks about the tool's usage:
I set it to False
by default because it can get frustrating while testing the tool but it's actually one of the best features and i encourage you to use it, especially in real engagements. When set to True
, toxssin will identify traffic received from poisoned browsers and re-establish the session(s). This is cool because, you can have the toxssin server running and if a user opens a malicious link you sent in the past (it can be in the browser's history) the session will be established. You can test this behavior as follows:
- Run toxssin,
- Open a malicious link, have 1 or more sessions established,
- Close the toxssin server,
- Re-run toxssin with
-g
option. After a few seconds the session(s) will be established again.
You can use the command to run custom JavaScript code from a file against a session by providing the session id. Instead of SID you can type active
to run the script against the current active session. The script will get in a queue for execution and will (by default) be executed maximum 3 seconds after you call exec. This is because the JavaScript function that handles custom script executions runs periodically along with some other functions, the execution time cycle of which is controlled by the -f
parameter and is set by default to 3000 ms.
After running a custom script you will receive a report with the output (if any) and if there were errors (along with error messages). Here's an example output with a custom script that runs successfully and returns 'Scare transformation completed' and a second one that includes an intentional syntax error:
You can find a few example scripts to execute against sessions in the custom_scripts
dir of the project.