What is XSS Chef?

XSS Chef is a small React.js application inspired by CyberChef, which provides users with a modular way to build JavaScript payloads to typically be used during penetration tests to demonstrate cross-site scripting vulnerabilities.

A live copy of the application can be found here.

What Can I Do with XSS Chef?

The current set of recipes can be found below, along with a description of what they allow you to do:

  • Alert – Display an alert in the user’s browser
  • Body Replacer – Replace the inner HTML of the document body with custom markup
  • Cookie Exfiltrator – Exfiltrate one or more cookies to an external web server
  • Decimal Encoder – Encode the payload into a comma-separated array of decimal numbers
  • Link Hijacker – Change the href attribute of all links on the page to point to a different URL
  • Keylogger – Log all key presses on the page and submit them back to a web server
  • String Exfiltrator – Request a resource from the target’s browser and exfiltrate the data
  • WordPress: Create User – Create a new WordPress user account on the target system


git clone https://github.com/rastating/xss-chef.git

  • For a production build, run: yarn build
  • For a development build, run: yarn build-dev


yarn jest

Copyright (C) 2018 rastating