Overview

XSSCANNER is an advanced tool designed to detect Reflective, POST-based, Path-based, DOM-based, and Blind cross-site scripting (XSS) vulnerabilities. It employs sophisticated techniques to identify potential XSS injection points and validate them.

Usage Examples

You can specify a list of target URLs for XSSCANNER to check for Cross-Site Scripting vulnerabilities. Optionally, you may configure any settings you’d like. Afterward, simply click on Scan to launch your scan.

Shortly after your scan has been launched, you will be redirected to the page to view your pending scan.

You must provide a list of target URLs to scan for vulnerabilities, not base URLs or root domains. A few examples:

Correct:

https://example.com/path/to/scan?param1=xyz&param2=xyz

https://api.example.com/path/to/scan2

Incorrect:

https://example.com/

https://app.example.com/

Scanner settings

This scanner accepts the following optional parameters:

Payload set

A payload set can be selected. There are 3 different payload sets that you can choose from: Basic, Advanced and Large. By default, the Advanced payload set is selected.

Basic payload set

The Basic payload set includes generic cross-site scripting payloads that work for most targets that do not employ any type of input validation or security rules (WAF).

Advanced payload set

The Advanced payload set includes generic + a list of advanced cross-site scripting payloads. This advanced payload list also contains Web Application Firewall (WAF) bypasses for popular firewalls. We recommend you to use this payload most of the times.

Large payload set

The Large payload set includes all our cross-site scripting payloads. This list contains over 7.400 payloads. We recommend you to only use this list when you would like the scanner to try every possibility.

Selecting the Large payload set will drastically increase your HTTP request count and scan time!

Headless browser

The headless web browser can be deployed to help with the payload injection and validation of any flagged findings. We recommend you to turn this option off for larger scans.

Capabilities

XSSCANNER is an advanced Cross-Site Scripting (XSS) scanner equipped with the following capabilities:

Limitations

XSSCANNER is currently not capable of:

  • Detecting some advanced types of DOM-based Cross-Site Scripting (XSS) vulnerabilities
  • Detecting stored Cross-Site Scripting (XSS) vulnerabilities

Best Practices

We recommend you to follow the best practices that we’ve outlined in detail.

Was this page helpful?

Global ConfigurationServer-Side Request Forgery (SSRF) Scanner