xss0r BASIC Plan

An XSS tool is designed to identify Cross-Site Scripting vulnerabilities in web applications. Penetration testers employ these tools to detect security weaknesses that may enable attackers to inject malicious code, thereby enhancing the overall security posture of web applications.

Our tool detects a range of XSS vulnerabilities, including reflected, stored, DOM-based, path-based, blind XSS, as well as vulnerabilities in both GET and POST requests.

Our user-friendly interface enables you to effortlessly modify existing payloads or create custom payloads tailored to specific testing scenarios.

Yes! We’ve made significant improvements:
‍+300 new payloads have been added to every plan.
‍Golden and Business plans now include
‍500+ new payloads, covering a wide variety of WAFs.
‍New Fuzzing Feature: This feature performs static analysis based on page source reflection and allowed characters. It generates and automates payloads intelligently, using only the characters allowed by the target application.
‍Clickable Payloads: xss0r V2 introduces a feature for payloads requiring user interaction, such as <ClickME> buttons. The tool automatically performs POST requests with these payloads, clicks on them, and completes all actions on your behalf.

Yes, we offer a DEMO service that clients can request at any time, allowing for a 5-day testing period. Additionally, we provide a free access key for new users on the 10th to 15th of every month, enabling them to test the tool before making a purchase, specifically for the PRO plan.

Yes, xss0r supports JSON web applications, allowing for detailed testing of JSON payloads and data structures.

xss0r offers advanced search and filter capabilities, allowing users to quickly locate specific vulnerabilities and tailor their testing approach.

xss0r now includes Blind XSS functionality, allowing automated testing of reflected vulnerabilities over time. It sends payloads to trigger XSS even in delayed interactions.

Yes! xss0r V2 fully supports macOS, Ubuntu (latest version), and is compatible with all Linux platforms.

The built-in crawler searches through HTML, XML, and JS tags to discover URLs. It also identifies input forms, such as usernames, feedback, and comment fields, and can automatically submit Blind XSS payloads using the new --spray feature.

When purchasing any XSS Plan, please use a valid email address during registration. API access will be provided within 6 to 12 hours after purchase, though it often arrives sooner. The xss0r tool will be accessible after purchasing a plan, and the API key will be sent to the registered email. If you do not receive your API access within 12 hours, please reach out directly through Support Chat or X.

The V2 version of xss0r introduces several powerful features: unlimited custom payload list loading, Blind XSS with full form and link crawling, Telegram notifications, and private "ClickMe" payloads. The update also includes a reflection checker, a “Only Alerts” mode, options for limiting requests, support for CSP bypass, and unlimited threading speed. New functionalities like resumable scans, fuzzing, crawling, and 24/7 live chat support enhance flexibility and usability. The tool now supports up to 10 devices, based on your plan, and automated Blind XSS payload injection in headers.

Blind XSS in xss0r now offers automatic crawling of forms on websites, spraying Blind XSS payloads, and saving any triggered payloads directly to your account with Telegram notifications. It also supports injection of Blind XSS payloads in the user-agent header, capturing all discovered links for manual inspection. Email-specific payloads target only email fields, and Blind XSS dorking has been added for deeper exploration. Additionally, test pages are provided for learning and practicing Blind XSS techniques.