xss.io is Shutting Down

All good things eventually come to an end. All poorly maintained but fun projects tend to as well. After 4 years I’m going to shut down xss.io. Its last day will be September 30th.

xss.io was built to serve my needs for extended penetration tests and as a proof of concept for a talk I gave at DEFCON 20 demonstrating the usefulness of such a technique. It met this goal.

I open sourced it a while back, you can find the code here.

Here are some stats from xss.io’s run: - 338 people logged in and used the tool - 2850 dead drops were created - 20134 calls back to those dead drops were recieved. (Chances are most of the traffic was bots or random views of certain endpoints.)

Even with xss.io gone, there is a bright future for this technique.

Nothing makes me more excited than to see the concept inspire somebody to build something great because of it. Scott Behrens from Netflix has created sleepy-puppy a tool to use (blink xss) better referred to as delayed or deferred xss as a defensive tool.

I encourage you to check out sleepy-puppy, contribute to the project if you can and pour one out for xss.io.

You might also enjoy reading: