🔐 Most advanced XSS scanner.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Somdev Sangwan 0ecedc1bba
Merge pull request #272 from s0md3v/fixed
1 year ago
.github Delete ISSUE_TEMPLATE.md 2 years ago
core Add files via upload 1 year ago
db +3 vulnerable libraries 2 years ago
modes Add files via upload 1 year ago
plugins Better result formatting 2 years ago
.gitignore fixed issue where foundParams are not being checked for in reflected response; added vscode folder to gitignore 2 years ago
.travis.yml update travis 2 years ago
CHANGELOG.md changelog for 3.1.4 2 years ago
LICENSE added GPL v3 license 2 years ago
README.md updated features 2 years ago
requirements.txt reverting to the stable build 1 year ago
xsstrike.py Add files via upload 1 year ago



Advanced XSS Detection Suite

multi xss

XSStrike WikiUsageFAQFor DevelopersCompatibilityGallery

XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.

Instead of injecting payloads and checking it works like all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine. Here are some examples of the payloads generated by XSStrike:


Apart from that, XSStrike has crawling, fuzzing, parameter discovery, WAF detection capabilities as well. It also scans for DOM XSS vulnerabilities.

Main Features

  • Reflected and DOM XSS scanning
  • Multi-threaded crawling
  • Context analysis
  • Configurable core
  • WAF detection & evasion
  • Outdated JS lib scanning
  • Intelligent payload generator
  • Handmade HTML & JavaScript parser
  • Powerful fuzzing engine
  • Blind XSS support
  • Highly researched work-flow
  • Complete HTTP support
  • Bruteforce payloads from a file
  • Powered by Photon, Zetanize and Arjun
  • Payload Encoding




dom xss

Reflected XSS

multi xss





Bruteforcing payloads from a file


Interactive HTTP Headers Prompt


Hidden Parameter Discovery


Contribution, Credits & License

Ways to contribute

  • Suggest a feature
  • Report a bug
  • Fix something and open a pull request
  • Create a browser extension
  • Create a burp suite/zaproxy plugin
  • Help me document the code
  • Spread the word

Licensed under the GNU GPLv3, see LICENSE for more information.

The WAF signatures in /db/wafSignatures.json are taken & modified from sqlmap. I extracted them from sqlmap's waf detection modules which can found here and converted them to JSON.
/plugins/retireJS.py is a modified version of retirejslib.