Pentesting Tools
Cross-Site Scripting (XSS) Scanner
XSSCANNER is an advanced Cross-Site Scripting (XSS) scanner.
Overview
XSSCANNER is an advanced tool designed to detect Reflective, POST-based, Path-based, DOM-based, and Blind cross-site scripting (XSS) vulnerabilities. It employs sophisticated techniques to identify potential XSS injection points and validate them.Usage Examples
You can specify a list of target URLs for XSSCANNER to check for Cross-Site Scripting vulnerabilities. Optionally, you may configure any settings you’d like. Afterward, simply click on Scan to launch your scan. Shortly after your scan has been launched, you will be redirected to the page to view your pending scan.
You must provide a list of target URLs to scan for vulnerabilities, not base URLs or root domains. A few examples:Correct:
https://example.com/path/to/scan?param1=xyz¶m2=xyz https://api.example.com/path/to/scan2Incorrect: https://example.com/ https://app.example.com/Scanner settings
This scanner accepts the following optional parameters:Payload set
A payload set can be selected. There are 3 different payload sets that you can choose from: Basic, Advanced and Large. By default, the Advanced payload set is selected.Basic payload set
The Basic payload set includes generic cross-site scripting payloads that work for most targets that do not employ any type of input validation or security rules (WAF).Advanced payload set
The Advanced payload set includes generic + a list of advanced cross-site scripting payloads. This advanced payload list also contains Web Application Firewall (WAF) bypasses for popular firewalls. We recommend you to use this payload most of the times.Large payload set
The Large payload set includes all our cross-site scripting payloads. This list contains over 7.400 payloads. We recommend you to only use this list when you would like the scanner to try every possibility.Selecting the Large payload set will drastically increase your HTTP request count and scan time!
Headless browser
The headless web browser can be deployed to help with the payload injection and validation of any flagged findings. We recommend you to turn this option off for larger scans.Capabilities
XSSCANNER is an advanced Cross-Site Scripting (XSS) scanner equipped with the following capabilities:Cross-Site Scripting (XSS) Detection
Cross-Site Scripting (XSS) Detection
XSSCANNER is an advanced tool to help you detect Reflective, POST-based, Path-based, DOM-based, and Blind Cross-Site Scripting (XSS) vulnerabilities.
Smart Detection
Smart Detection
XSSCANNER employs an effective workflow by emulating a penetration tester’s behavior to maximize results and prevent false positives and false negatives.
Blind XSS Detection
Blind XSS Detection
The scanner attempts to inject various blind XSS payloads with your custom OAST Server payload.
Headless Browser Validation
Headless Browser Validation
XSSCANNER deploys a headless web browser for validation to provide a false-positive free experience.
Advanced Payloads With WAF Bypasses
Advanced Payloads With WAF Bypasses
Advanced Payloads with Web Application Firewall (WAF) bypasses for popular firewalls like Cloudflare, Akamai, etc.
Limitations
XSSCANNER is currently not capable of:- Detecting some advanced types of DOM-based Cross-Site Scripting (XSS) vulnerabilities
- Detecting stored Cross-Site Scripting (XSS) vulnerabilities