Evilreplay is a novel post‑XSS tool by Ege Balci that enables red teamers to hijack and interact with victim browser sessions live, without needing to steal cookies or tokens. It builds on browser exploitation frameworks and provides unique visibility into real-time user behaviour.

Overview

evilreplay leverages cross‑site scripting (XSS) to inject a control agent into the target’s browser. Once executed, it offers interactive session control: form input, clicks, navigation, and observation. Unlike traditional cookie-based session hijacking, this tool operates directly within the browser context.

Key benefits include:

• Interactive command execution in the victim context
• Evades cookie theft detection mechanisms
• Complements frameworks like BeEF Project – Browser Exploitation Framework for chained browser attacks

Installation

Dependencies:

• Go compiler version 1.18 or higher
• Access to a web server for post-XSS payload hosting

Sample deployment after an XSS payload injection:

Once the victim visits the page triggering XSS, the control dashboard becomes available at http://127.0.0.1:3000. Attackers can simulate form input, navigation, mouse events, and capture network activity—all without exfiltrating cookies.

Feature Highlights

• Live session hijacking: Control DOM interactions and user experience in real time.
• No cookie theft: Evades cookie-based theft detection.
• Lightweight UI: Browser dashboard displays real-time actions and page state.
• Open source: Enables assessment and customisation for different attack paths.

Use Cases

This tool is ideal for red teams and penetration testers:

• Demonstrating interactive DOM manipulation during live engagements
• Bypassing defences focused on cookie theft by conducting actions through existing sessions
• Conducting social engineering inside a full browser context (e.g. fake forms or alerts)

Red Team Relevance

evilreplay adds a new dimension to post‑exploitation:

• It’s more stealthy than automated cookie theft tools
• A skilled red teamer can chain it with phishing or C2 callbacks to maintain persistent browser-based control

Comparison With Alternatives

Tool	Maintained	Real-Time Session Control	Cookie Theft Required	Stealth Level	Notable Use Case
evilreplay	✅ Yes (2025)	✅ Yes (clicks, keys, network logs)	❌ No	✅ High	Remote browser control post-XSS without stealing cookies
BeEF	⚠️ Partially (last commit 2021)	⚠️ Limited (command-based modules)	⚠️ Sometimes	❌ Moderate	Modular browser exploitation via XSS
OpenReplay	✅ Yes	✅ Yes (replay, UX monitoring)	❌ No	❌ Low	Session replay for dev/UX teams (not intended for red team use)
XSSHunter	❌ Abandoned	❌ No	✅ Yes	❌ Low	One-shot XSS payload logging (e.g. alert pop)
HookShell	✅ Active (2025)	✅ Yes (interactive shell)	✅ Yes	⚠️ Varies	Live command execution inside hooked browser tab

evilreplay builds on OpenReplay to deliver real-time browser session hijacking post-XSS, offering interactive control without cookie theft, positioned as a stealthier, DOM-focused alternative to BeEF, and more hands-on than passive tools like XSSHunter or HookShell.

Detection Avoidance

• Does not require cookie theft, making common alerts ineffective
• Generates normal DOM events rather than anomalous requests
• Use defence-in-depth: monitor DOM manipulation, script activity and unusual network behaviours

Considerations & Limitations

• Requires a reliable initial XSS vector
• The victim browser must accept the injected payload JS
• Only effective while the victim remains on the page
• Logging user actions may raise legal and ethical issues in assessments

You can read more or download evilreplay here: https://github.com/EgeBalci/evilreplay