I’m very pleased to present you with a (more or less) usable version of XCampo!

What is XCampo? I decided to write this when I was coming back from the RootedCon conference in Madrid and it is intended to help me (and anyone who wants to use it) to generate better screenshots and demos for the report generation (and presentation) process.

Sometimes, when people generate security reports and they want to represent the risk of a XSS vulnerability they insert a simple script that shows an alert box with the name of the website or with text. This illustrates the possibility to execute anything we want and security people understand this….but do non technical people?

Using this PHP code you will get a nice page with some options to generate dynamically different payloads to your demos:

  • Fake login: Generates a fake login form page to force the user to insert his login details.
  • hax0r defacement: Try to generate an over-everything black layer with a text and an audio file.
  • Form redirection: Redirect any form in the website to a specified URL.
  • Password manager: Try to steal the login details stored in the browser when accessing to a specified webpage
  • Cookie stealing: Perform a cookie steal sending the details to the URL we want.

As you can see this provides a good range of options to generate more “dangerous” demos in the presentation of the results.