xss0r Plan Comparison

What the PRO PLAN Offers Beyond the BASIC PLAN:

1. PATH Request Analysis: The PRO PLAN includes PATH request analysis, allowing users to detect and exploit vulnerabilities that require payloads in URL paths, a feature not available in the BASIC PLAN. This adds flexibility for testing more sophisticated vulnerabilities.

2. Increased Payload Library: With access to 2,000 XSS payloads compared to 1,500 in the BASIC PLAN, the PRO PLAN provides a broader and more versatile range of payloads to test against a variety of web application defenses.

3. Enhanced WAF Bypass Capabilities: The PRO PLAN includes advanced WAF bypass capabilities, making it more effective for testing applications with stringent security measures. This feature is more limited in the BASIC PLAN, giving the PRO PLAN an advantage in secure environments.

4. JSON and Multipart WebApp Support: The PRO PLAN offers support for both JSON and Multipart Web Applications, expanding its capability to handle modern web app architectures. This feature enables users to test APIs and multipart form submissions effectively, which is absent in the BASIC PLAN.

5. Higher Thread Speed Limit: The PRO PLAN supports up to 10 threads, providing faster scanning and better performance on larger sites. In comparison, the BASIC PLAN is limited to 7 threads, making it less optimal for extensive testing.

6. Technical Support and Educational Resources: Both plans offer technical support, an eBook with practical examples, and instructional videos, but the PRO PLAN is designed for users who have some experience and want to deepen their expertise. It provides a more robust toolset and advanced features, making it ideal for intermediate users looking to advance their skills beyond the basics covered in the BASIC PLAN.

7. Save Session: Saves current scanning session.

The PRO PLAN provides an upgraded set of features, allowing users to explore more complex vulnerabilities and improve testing efficiency, making it well-suited for those ready to take their web security skills to the next level.

What the DIAMOND PLAN Offers Beyond the PRO PLAN:

1. Expanded Payload Library with Full WAF Bypass: The DIAMOND PLAN provides access to 3,000 XSS payloads, compared to 2,000 in the PRO PLAN, with advanced WAF bypass capabilities. Additionally, it allows for unlimited custom payload list loading, enabling users to test an extensive range of vulnerabilities and tailor payloads to specific applications.

2. Enhanced BlindXSS with All Features Included: While the PRO PLAN offers BlindXSS capabilities, the DIAMOND PLAN takes it further with full-featured BlindXSS, which includes additional advanced payloads and detection mechanisms. This enhancement is ideal for detecting delayed or hidden XSS vulnerabilities that require more sophisticated detection techniques.

3. Advanced Crawling and Fuzzing Capabilities: The DIAMOND PLAN includes both Crawling and Fuzzing functionalities, enabling users to automate exploration and injection of payloads across the application, increasing the chance of identifying complex vulnerabilities. These advanced scanning capabilities go beyond the PRO PLAN, allowing users to dive deeper into application behavior and structure.

4. Automated Resuming and Limit Requests Features: The DIAMOND PLAN provides the ability to resume scans automatically and set request limits, ensuring scans are efficient without overwhelming target applications. These features enhance scan management and control, particularly useful for large-scale applications, and are not available in the PRO PLAN.

5. User-Interaction Payloads Support and CSP Bypass: The DIAMOND PLAN supports payloads that require user interaction, offering deeper real-world vulnerability testing. It also includes CSP (Content Security Policy) bypass capabilities, allowing users to test applications with strict security policies, which is not supported in the PRO PLAN.

6. Increased Thread Speed Limit: With a thread speed limit of up to 13, the DIAMOND PLAN is faster and more efficient for larger, more complex applications, compared to the PRO PLAN’s limit of 10 threads.

7. Broader License and Device Support: The DIAMOND PLAN allows usage for 1 user on up to 4 devices across 2 different IP addresses, whereas the PRO PLAN is limited to 3 devices on the same IP. This flexibility makes the DIAMOND PLAN more suitable for team settings or users who need access across multiple environments.

8. Additional Features and Advanced Support Tools: The DIAMOND PLAN includes exclusive features like Fuzzing, Crawling, Resuming Scan, and Limit Requests. These tools are designed to provide a more thorough, automated approach to XSS testing, making the DIAMOND PLAN ideal for users looking to conduct comprehensive and efficient scans on complex applications.

9. Stealth: low|medium|high] – Adjusts the stealth mode levelto evade WAFs and security filters.

The DIAMOND PLAN offers a significant upgrade over the PRO PLAN, providing a powerful toolset that includes advanced detection capabilities, faster scanning, enhanced automation, and support for user-interactive and CSP bypass payloads. This plan is ideal for experienced users or teams who require a comprehensive solution for tackling sophisticated web application vulnerabilities.

What the GOLDEN PLAN Offers Beyond the DIAMOND:

1. Higher Thread Speed Limit: The GOLDEN PLAN supports up to 15 threads, while the DIAMOND PLAN is limited to 13 threads. This increased speed allows for faster and more efficient scanning, especially beneficial for testing larger applications requiring extensive scans.

2. Live Chat Support: The GOLDEN PLAN includes live chat support, providing real-time assistance for users who need immediate help. This feature is exclusive to the GOLDEN PLAN and not available in the DIAMOND PLAN, making it ideal for users who require quick resolutions and direct support.

3. Cost Savings with Semi-Annual Payments: Choosing the GOLDEN PLAN over the DIAMOND PLAN results in substantial savings. While the GOLDEN PLAN costs $119.99 every 6 months (totaling $239.98 per year), the DIAMOND PLAN is priced at $89.99 every 3 months (totaling $359.96 per year). This results in an annual savings of $119.98, making the GOLDEN PLAN a more cost-effective option for long-term users.

4. Comprehensive Feature Set at a Better Price: Both the GOLDEN PLAN and DIAMOND PLAN offer essential features such as GET and POST Requests with Cookie Support, PATH Request Analysis, Private xss0r Payloads with Full WAF Bypass, and Unlimited Custom Payload List Loading. Additionally, both plans include BlindXSS with All Features Included, Reflection Checker, Only Alerts, Suffix & Prefix Customization, and support for JSON and Multipart WebApps. Other shared functionalities include Resume Scan, Fuzzing, Crawling, Resuming Scan, Limit Requests, User-Interaction Payloads Support, and CSP Bypass.

5. Device and IP Flexibility: Both plans allow 1 user across up to 4 devices on 2 different IP addresses, providing ample flexibility for users who need access across multiple environments.

6. User-Agent: Specify custom user agent.

The GOLDEN PLAN offers all the advanced features of the DIAMOND PLAN while delivering additional benefits, such as a higher thread limit, live chat support, and significant cost savings. This makes the GOLDEN PLAN ideal for users seeking top-tier XSS detection capabilities, enhanced support options, and better value for long-term use.

What the BUSINESS PLAN Offers Beyond the GOLDEN PLAN:

1. ClickMe Private Payloads for Enhanced BlindXSS: The BUSINESS PLAN includes ClickMe Private Payloads for BlindXSS, offering additional payload options to detect delayed-execution and hidden XSS vulnerabilities. This advanced feature enhances the detection capabilities beyond those provided in the GOLDEN PLAN.

2. Unlimited Speed on Threads: The BUSINESS PLAN offers unlimited speed on threads, allowing for unrestricted scanning performance, while the GOLDEN PLAN is limited to a maximum of 15 threads. This makes the BUSINESS PLAN ideal for users who need to conduct rapid scans on complex applications without any thread speed limitations.

3. 24/7 Technical and Live Chat Support: With 24/7 access to both technical support and live chat, the BUSINESS PLAN ensures that users have round-the-clock assistance. In contrast, the GOLDEN PLAN does not guarantee 24/7 availability for these support channels, making the BUSINESS PLAN more suitable for users who need immediate support at any time.

4. Additional Licenses for Team Flexibility: The BUSINESS PLAN provides 2 free additional licenses, enabling usage for multiple team members or organizational flexibility. This feature is not available in the GOLDEN PLAN, making the BUSINESS PLAN a better choice for companies and larger teams.

5. Extended Device and IP Flexibility: Supporting up to 10 devices on any IP addresses, the BUSINESS PLAN offers significantly more flexibility than the GOLDEN PLAN, which supports only 4 devices on 2 different IP addresses. This additional device support is advantageous for teams needing broad access across multiple devices and locations.

The BUSINESS PLAN offers all the features of the GOLDEN PLAN and adds substantial benefits, including ClickMe Private Payloads for BlindXSS, unlimited thread speed, 24/7 support, additional licenses, and enhanced device/IP flexibility. This plan is ideal for businesses, teams, and organizations seeking a high-performance, versatile, and scalable XSS detection solution with comprehensive support and flexibility.

Frequently Asked Questions

What is an XSS tool, and why do penetration testers utilize it?

An XSS tool is designed to identify Cross-Site Scripting vulnerabilities in web applications. Penetration testers employ these tools to detect security weaknesses that may enable attackers to inject malicious code, thereby enhancing the overall security posture of web applications.

What types of XSS vulnerabilities does the tool detect?

Our tool detects a range of XSS vulnerabilities, including reflected, stored, DOM-based, path-based, blind XSS, as well as vulnerabilities in both GET and POST requests.

How do I customize the payloads?

Our user-friendly interface enables you to effortlessly modify existing payloads or create custom payloads tailored to specific testing scenarios.

Are there any new improvements for WAF bypass?

Yes! We’ve made significant improvements:
‍+300 new payloads have been added to every plan.
‍Golden and Business plans now include
‍500+ new payloads, covering a wide variety of WAFs.
‍New Fuzzing Feature: This feature performs static analysis based on page source reflection and allowed characters. It generates and automates payloads intelligently, using only the characters allowed by the target application.
‍Clickable Payloads: xss0r V3 introduces a feature for payloads requiring user interaction, such as <ClickME> buttons. The tool automatically performs POST requests with these payloads, clicks on them, and completes all actions on your behalf.

Is there a trial version available?

Yes, we offer a DEMO service that clients can request at any time, allowing for a 5-day testing period. Additionally, we provide a free access key for new users on the 10th to 15th of every month, enabling them to test the tool before making a purchase, specifically for the PRO plan.

Can xss0r analyze JSON web applications?

Yes, xss0r supports JSON web applications, allowing for detailed testing of JSON payloads and data structures.

What are the advanced search and filter options in xss0r?

xss0r offers advanced search and filter capabilities, allowing users to quickly locate specific vulnerabilities and tailor their testing approach.

What is Blind XSS, and how is it implemented in xss0r?

xss0r now includes Blind XSS functionality, allowing automated testing of reflected vulnerabilities over time. It sends payloads to trigger XSS even in delayed interactions.

Does xss0r V3 support macOS and other Linux distributions?

Yes! xss0r fully supports macOS, Ubuntu (latest version), and is compatible with all Linux platforms.

How does the new crawler feature enhance testing?

The built-in crawler searches through HTML, XML, and JS tags to discover URLs. It also identifies input forms, such as usernames, feedback, and comment fields, and can automatically submit Blind XSS payloads using the new --spray feature.

Where is the API key sent, and how can I add my API key?

When purchasing any XSS Plan, please use a valid email address during registration. API access will be provided within 6 to 12 hours after purchase, though it often arrives sooner. The xss0r tool will be accessible after purchasing a plan, and the API key will be sent to the registered email. If you do not receive your API access within 12 hours, please reach out directly through Support Chat or X.

What new features are included in the V4 version of xss0r?

Introducing xss0r V4:
-Added --fullscan — forces testing of the entire payload list for comprehensive analysis.
-Added default scan behavior — triggers only 1 XSS alert per domain or subdomain to reduce noise.
- Improved URL crawling — added deeper discovery and filtering for duplicates, similar URLs, and file extensions.
- Redesigned banner — introduced a cleaner, more modern interface for better readability.
- Optimized performance — rebuilt a lighter, more efficient xsser for reduced RAM and CPU usage.
- Simplified installation — xsser is now easier and faster to set up.- Added POST request handling — supports JSON, multipart, and URL-encoded data simultaneously.
- Improved accuracy — slightly slower than previous, but detects significantly more.
- Added WAF detection — instantly identifies web application firewalls from HTTP responses.
- Added colorful terminal output — improved readability with enhanced visual feedback.
- Improved --fuzzer — now shows which characters are blocked or allowed and saves results to a .txt file.

What are the complete features of BlindXSS in xss0r?

Blind XSS in xss0r now offers automatic crawling of forms onwebsites, spraying Blind XSS payloads, and saving any triggeredpayloads directly to your account with Telegram notifications. Italso supports injection of Blind XSS payloads in the user-agentheader, capturing all discovered links for manual inspection.Email-specific payloads target only email fields, and Blind XSSdorking has been added for deeper exploration. Additionally, testpages are provided for learning and practicing Blind XSS techniques.Telegram and Email Notifications Event Payloads for Account Takeover New Features:
‍All Cookies (Non-HttpOnly): Collects all accessible cookies that are not flagged as HttpOnly for analysis and debugging. Referrer Information: Retrieves the referring URL to identify the source of traffic to the page.
‍IP Address of the Target Client: Captures the public IP address and provides approximate location details, including city, region, and country.
‍Browser Language Information: Detects the browser's language settings to support localization and customization.
‍Browser Name and Version: Identifies the browser name and version using the User-Agent string.
‍Screenshot of DOM Structure: Generates a visual screenshot of the current DOM structure for debugging and reporting purposes. Screen Resolution: Collects the screen resolution and window size of the client’s device.
‍Graphics Card Information: Retrieves detailed GPU information, including vendor and renderer.
‍Battery Status: Tracks the device’s battery level and charging status when supported by the browser.
‍Network Information: Captures the network type (e.g., Wi-Fi, 4G) and downlink speed. Local Storage and Session Storage: Extracts data stored in the client’s local and session storage.
‍Form Inputs: Collects values from all form inputs, including text fields, text areas, and dropdowns, on the page.
‍Page Metadata: Gathers essential page metadata, including the page title, URL, and full HTML structure.
‍Plugins and Mime Types: Retrieves a list of installed browser plugins and supported MIME types.
‍Admin Panel Accessibility Check: Attempts to access the /admin endpoint to verify if it is accessible and logs the response status.
‍API Key Discovery in Scripts: Scans all script files loaded on the page to identify potential API keys in their content.

xss0r Plan Comparison

😊❤️ Hear from Our Happy Customers! 😊❤️

Frequently Asked Questions