xss0r Plan Comparison

xss0r heading logo
What the PRO PLAN Offers Beyond the BASIC PLAN:

Feature

BASIC PLAN

PRO PLAN

GET Scanning
--get
--get
POST Scanning
--post
--post
Only Triggered Alerts
--onlyalerts
--onlyalerts
Reflection Checks
--reflection
--reflection
Suffix Injection
--suffix
--suffix
Prefix Injection
--prefix
--prefix
Full Payload List Scan
--fullscan
--fullscan
CRLF Injection
--crlf
--crlf
Threads
7 threads
10 threads
Payloads
1,500 payloads
2,000 payloads
Smart Filtering
--filterremoves duplicates, similar URLs, keeps scope clean
BlindXSS Spray
--sprayfor detecting stored / deferred XSSet
Save & Resume
--save + --resume to continue large scans
Advanced WAF Bypass
Limited basic evasion
More advanced evasions for hardened targets
Advanced Recon & Enum
--recon with options: --custom-domains, --no-brute-force
Inspector for Deep Links
--inspector discovers hidden endpoints
The PRO PLAN does everything BASIC does — plus smart filtering, BlindXSS, save/resume, deeper recon, more payloads, more threads, and advanced evasions — essential for larger or more secure targets.
The BASIC PLAN covers core features: GET, POST, PATH injection (via Suffix/Prefix), CRLF, Reflection, with a solid thread/payload base.
What the DIAMOND PLAN Offers Beyond the PRO PLAN:

Feature

PRO PLAN

DIAMOND PLAN

Get / Post
Only Alerts
CRLF Injection
Recon
Inspector
Path Injection
Prefix / Suffix
Cookies & Initialize
Reflection Testing
Spray (BlindXSS)
Save & Resume
Fullscan
Threads / Concurrency
Threads: 10
Threads: 10
Payloads
2,000 payloads
n/a (unlimited)
DIAMOND PLAN Exclusive Features:

Exclusive Feature

Available in PRO

Availablei n DIAMOND

Explanation

Blindusername
Injects your xss0r.com username into User-Agent for advanced BlindXSSdetection.
Crawler
Full internal crawler to discover all pages and links for maximumcoverage.
Fuzzer
Fuzzes reflections with characters to detect what’s blocked, encoded, or passed.
Limit
Set requests-per-minute to avoid bans or rate limiting.
Stealth
Low, medium, high stealth modes to bypass WAFs and reduce detection (slows scan to slip past security).
Clickme
Automates clickable payloads using simulated clicks and keystrokes for DOM XSS or client-side actions.
Both plans provide powerful XSS, CRLF, recon, path injections, reflectionchecks, BlindXSS, save/resume, and high concurrency — but theDIAMOND PLAN takes it further with crawling,fuzzing, stealth evasion, click automation, BlindUsername tracking,and finer rate control and unlimited payload list.
What the GOLDEN PLAN Offers Beyond the DIAMOND:

Feature

GOLD PLAN

GOLD PLAN

Get / Post
Only Alerts
CRLF Injection
Recon
Inspector
Path Injection
Prefix / Suffix
Cookies & Initialize
Reflection Testing
Spray (BlindXSS)
Save & Resume
Fullscan
Fuzzer
Clickme
Limit
Blindusername
Crawler
Stealth
Advanced WAF Bypass
Advanced evasion
Moreadvanced evasions for all kinds of WAFs, stronger mutation &stealth bypass.
Threads
13
15
Payloads
n/a (unlimited)
n/a (unlimited)
GOLDEN PLAN Exclusive Features:

Exclusive Feature

Available in DIAMOND

Availablei n GOLD

Explanation

Custom Headers
Use --headers to inject custom HTTP headers (e.g. "X-Test=abc;").
User-Agent Control
Use --useragent to set custom User-Agent strings.
All-in-One Mode
Use --all to scan with both path and query injections in one unified scan.
While both plans deliver powerful XSS scanning with BlindXSS,fuzzing, and stealth techniques, the GOLDEN PLAN takes it further with:
✅ Custom HTTP headers & User-Agents
--all combined mode for total coverage
✅ More advanced WAF evasion to defeat sophisticated protections
⚡ Plus maximum concurrency with 15 threads
What the BUSINESS PLAN Offers Beyond the GOLDEN PLAN:

Feature

GOLD PLAN

BUSINESS PLAN

Get / Post
Only Alerts
CRLF Injection
Recon
Inspector
Custom Headers
All (combined mode)
Path / Prefix / Suffix
Cookies & Initialize
Reflection
Stealth
Blindusername
Spray (BlindXSS)
Crawler
Fuzzer
Limit
Clickme
Save / Resume / Fullscan
Threads
15
n/a (dynamic scaling)
Payloads
n/a (unlimited)
n/a (unlimited)
BUSINESS PLAN Exclusive Features:

Exclusive Feature

Available in DIAMOND

Availablei n GOLD

Explanation

Multi-User Licenses
Comes with 2 additional gratis licenses (total 3 seats) somultiple team members can run tests simultaneously.
Up to 10 Devices on Any IPs
Use onup to 10 devices, no matter the network location,ideal for distributed teams.
Live Chat Support 24/7
Priority24/7 live chat support to help with technical ordeployment issues.
While both GOLDEN and BUSINESS plans include powerfulscanning, recon, fuzzing, BlindXSS, stealth, click automation, andfull automation, the BUSINESS PLAN istailored for: Professional security teams and corporations. With 3 total licenses, allowing simultaneous use by multiple team members. Supports up to 10 devices on any IP, so your global teams can operate seamlessly. And includes 24/7 live chat support, ensuring your business always gets help when needed.
Plans common words:

Get / Post - Core XSS scanning methods via GET and POST.

Onlyalerts
- Shows only triggered alerts in output.

CRLF Injection - Test subdomains for CRLF injection issues.

Recon - Full recon with crawling and enumeration.

Inspector - Deep analysis for hidden and passive endpoints.

Path / Prefix / Suffix - Inject payloads into path with customizable prefix/suffix.

Cookies / Initialize - Use saved sessions for authenticated testing.

Reflection - Find reflections for XSS testing.

Spray (BlindXSS) - BlindXSS payload spraying into headers/forms.

Save / Resume - Save scan and continue later.

Fullscan - Force test of full payload list.

Fuzzer - Fuzz character filters and encoding.

Clickme - Simulated click/keyboard execution of payloads.

Limit - Control requests per minute.

Blindusername - Inject your xss0r.com username into UA for BlindXSS tracking.

Crawler - Crawl internal links and gather test points.

Stealth - Low/Medium/High stealth mode for WAF bypass.

Advanced WAF Bypass - More advanced evasions for all kinds of WAFs, stronger mutation & stealth bypass.

Payloads - Dynamic payload handling.

😊❤️ Hear from Our Happy Customers! 😊❤️

🚀 Don't just take our word for it! Explore the authentic experiences of our amazing community who have worked with us. Their honest reviews and feedback speak volumes about the accuracy of the xss0r Tool, with zero false positives. We can't wait for you to see it—check out the images below! 📸✨

4.9/5 (264)

Frequently Asked Questions

What is an XSS tool, and why do penetration testers utilize it?

An XSS tool is designed to identify Cross-Site Scripting vulnerabilities in web applications. Penetration testers employ these tools to detect security weaknesses that may enable attackers to inject malicious code, thereby enhancing the overall security posture of web applications.

What types of XSS vulnerabilities does the tool detect?

Our tool detects a range of XSS vulnerabilities, including reflected, stored, DOM-based, path-based, blind XSS, as well as vulnerabilities in both GET and POST requests.

How do I customize the payloads?

Our user-friendly interface enables you to effortlessly modify existing payloads or create custom payloads tailored to specific testing scenarios.

Are there any new improvements for WAF bypass?

Yes! We’ve made significant improvements:
+300 new payloads have been added to every plan.
Golden and Business plans now include
500+ new payloads, covering a wide variety of WAFs.
New Fuzzing Feature: This feature performs static analysis based on page source reflection and allowed characters. It generates and automates payloads intelligently, using only the characters allowed by the target application.
Clickable Payloads: xss0r V3 introduces a feature for payloads requiring user interaction, such as <ClickME> buttons. The tool automatically performs POST requests with these payloads, clicks on them, and completes all actions on your behalf.

Is there a trial version available?

Yes, we offer a DEMO service that clients can request at any time, allowing for a 5-day testing period. Additionally, we provide a free access key for new users on the 10th to 15th of every month, enabling them to test the tool before making a purchase, specifically for the PRO plan.

Can xss0r analyze JSON web applications?

Yes, xss0r supports JSON web applications, allowing for detailed testing of JSON payloads and data structures.

What are the advanced search and filter options in xss0r?

xss0r offers advanced search and filter capabilities, allowing users to quickly locate specific vulnerabilities and tailor their testing approach.

What is Blind XSS, and how is it implemented in xss0r?

xss0r now includes Blind XSS functionality, allowing automated testing of reflected vulnerabilities over time. It sends payloads to trigger XSS even in delayed interactions.

Does xss0r V3 support macOS and other Linux distributions?

Yes! xss0r fully supports macOS, Ubuntu (latest version), and is compatible with all Linux platforms.

How does the new crawler feature enhance testing?

The built-in crawler searches through HTML, XML, and JS tags to discover URLs. It also identifies input forms, such as usernames, feedback, and comment fields, and can automatically submit Blind XSS payloads using the new --spray feature.

Where is the API key sent, and how can I add my API key?

When purchasing any XSS Plan, please use a valid email address during registration. API access will be provided within 6 to 12 hours after purchase, though it often arrives sooner. The xss0r tool will be accessible after purchasing a plan, and the API key will be sent to the registered email. If you do not receive your API access within 12 hours, please reach out directly through Support Chat or X.

What are the complete features of BlindXSS in xss0r?

Blind XSS in xss0r now offers automatic crawling of forms onwebsites, spraying Blind XSS payloads, and saving any triggeredpayloads directly to your account with Telegram notifications. Italso supports injection of Blind XSS payloads in the user-agentheader, capturing all discovered links for manual inspection.Email-specific payloads target only email fields, and Blind XSSdorking has been added for deeper exploration. Additionally, testpages are provided for learning and practicing Blind XSS techniques.Telegram and Email Notifications Event Payloads for Account Takeover New Features:
All Cookies (Non-HttpOnly): Collects all accessible cookies that are not flagged as HttpOnly for analysis and debugging. Referrer Information: Retrieves the referring URL to identify the source of traffic to the page.
IP Address of the Target Client: Captures the public IP address and provides approximate location details, including city, region, and country.
Browser Language Information: Detects the browser's language settings to support localization and customization.
Browser Name and Version: Identifies the browser name and version using the User-Agent string.
Screenshot of DOM Structure: Generates a visual screenshot of the current DOM structure for debugging and reporting purposes. Screen Resolution: Collects the screen resolution and window size of the client’s device.
Graphics Card Information: Retrieves detailed GPU information, including vendor and renderer.
Battery Status: Tracks the device’s battery level and charging status when supported by the browser.
Network Information: Captures the network type (e.g., Wi-Fi, 4G) and downlink speed. Local Storage and Session Storage: Extracts data stored in the client’s local and session storage.
Form Inputs: Collects values from all form inputs, including text fields, text areas, and dropdowns, on the page.
Page Metadata: Gathers essential page metadata, including the page title, URL, and full HTML structure.
Plugins and Mime Types: Retrieves a list of installed browser plugins and supported MIME types.
Admin Panel Accessibility Check: Attempts to access the /admin endpoint to verify if it is accessible and logs the response status.
API Key Discovery in Scripts: Scans all script files loaded on the page to identify potential API keys in their content.