version: "3.9" services: # XSS Hunter Express service xsshunterexpress: build: . environment: # [REQUIRED] The hostname/domain pointed to # the IP of the server running this service. # SSL will automatically be set up and # renewed with LetsEncrypt. - HOSTNAME=your.host.name # THis hostname is where your JS is served out of - XSS_HOSTNAME=your.xss.domain # [REQUIRED] Email for SSL - SSL_CONTACT_EMAIL=YourEmail@gmail.com # Maximum XSS callback payload size # This includes the webpage screenshot, DOM HTML, # page text, and other metadata. Note that if the # payload is above this limit, you won't be notified # of the XSS firing. - MAX_PAYLOAD_UPLOAD_SIZE_MB=50 # Whether or not to enable the web control panel # Set to "false" or remove to disable the web UI. # Useful for minimizing attack surface. - CONTROL_PANEL_ENABLED=true # Whether or not to enable email notifications via # SMTP for XSS payload fires. - SMTP_EMAIL_NOTIFICATIONS_ENABLED=true - SMTP_HOST=smtp.gmail.com - SMTP_PORT=465 - SMTP_USE_TLS=true - SMTP_USERNAME=YourEmail@gmail.com - SMTP_PASSWORD=YourEmailPassword - SMTP_FROM_EMAIL=YourEmail@gmail.com - SMTP_RECEIVER_EMAIL=YourEmail@gmail.com # CLIENT ID FOR OAUTH LOGIN - CLIENT_ID=your_client_id - CLIENT_SECRET=your_client_secret # THERE IS NO NEED TO MODIFY BELOW THIS LINE # ------------------------------------------ # FEEL FREE, BUT KNOW WHAT YOU'RE DOING. # Where XSS screenshots are stored - SCREENSHOTS_DIR=/app/payload-fire-images - DATABASE_NAME=xsshunterexpress - DATABASE_USER=xsshunterexpress - DATABASE_PASSWORD=xsshunterexpress - DATABASE_HOST=postgresdb - NODE_ENV=production ports: - "80:80" - "443:443" volumes: # Stores the SSL/TLS certificates and keys # in the "ssldata" directory. # Your certificates are automatically renewed # via LetsEncrypt, no extra work needed! - ./ssldata:/app/greenlock.d # Directory where payload fire images are stored. - ./payload-fire-images:/app/payload-fire-images # Comment out if you're using an external SQL # server and have commented out the DB section. depends_on: - postgresdb # Postgres server to store injection data (not including # screenshots which are stored separately). # NOTE: If you're using an external SQL server, you can comment # out this service. # WARNING: This database gives the "postgres" user admin priveleges # with a default password of "xsshunterexpress". Do not expose it # externally. If you do, be sure to change the password. postgresdb: image: postgres restart: always environment: # This is a volume mounted into the container # (see the directory ./postgres-db-data) # So the database will be persisted across # container deletion. PGDATA: /var/lib/postgresql/data/pgdata POSTGRES_USER: xsshunterexpress POSTGRES_DB: xsshunterexpress POSTGRES_PASSWORD: xsshunterexpress volumes: - ./postgres-db-data:/var/lib/postgresql/data/pgdata