xss0r Business Plan

An XSS tool is designed to identify Cross-Site Scripting vulnerabilities in web applications. Penetration testers employ these tools to detect security weaknesses that may enable attackers to inject malicious code, thereby enhancing the overall security posture of web applications.

Our tool detects a range of XSS vulnerabilities, including reflected, stored, DOM-based, path-based, blind XSS, as well as vulnerabilities in both GET and POST requests.

Our user-friendly interface enables you to effortlessly modify existing payloads or create custom payloads tailored to specific testing scenarios.

Yes! We’ve made significant improvements:
‍+300 new payloads have been added to every plan.
‍Golden and Business plans now include
‍500+ new payloads, covering a wide variety of WAFs.
‍New Fuzzing Feature: This feature performs static analysis based on page source reflection and allowed characters. It generates and automates payloads intelligently, using only the characters allowed by the target application.
‍Clickable Payloads: xss0r V3 introduces a feature for payloads requiring user interaction, such as <ClickME> buttons. The tool automatically performs POST requests with these payloads, clicks on them, and completes all actions on your behalf.

Yes, we offer a DEMO service that clients can request at any time, allowing for a 5-day testing period. Additionally, we provide a free access key for new users on the 10th to 15th of every month, enabling them to test the tool before making a purchase, specifically for the PRO plan.

Yes, xss0r supports JSON web applications, allowing for detailed testing of JSON payloads and data structures.

xss0r offers advanced search and filter capabilities, allowing users to quickly locate specific vulnerabilities and tailor their testing approach.

xss0r now includes Blind XSS functionality, allowing automated testing of reflected vulnerabilities over time. It sends payloads to trigger XSS even in delayed interactions.

Yes! xss0r fully supports macOS, Ubuntu (latest version), and is compatible with all Linux platforms.

The built-in crawler searches through HTML, XML, and JS tags to discover URLs. It also identifies input forms, such as usernames, feedback, and comment fields, and can automatically submit Blind XSS payloads using the new --spray feature.

When purchasing any XSS Plan, please use a valid email address during registration. API access will be provided within 6 to 12 hours after purchase, though it often arrives sooner. The xss0r tool will be accessible after purchasing a plan, and the API key will be sent to the registered email. If you do not receive your API access within 12 hours, please reach out directly through Support Chat or X.

Introducing xss0r V4:
-Added --fullscan — forces testing of the entire payload list for comprehensive analysis.
-Added default scan behavior — triggers only 1 XSS alert per domain or subdomain to reduce noise.
- Improved URL crawling — added deeper discovery and filtering for duplicates, similar URLs, and file extensions.
- Redesigned banner — introduced a cleaner, more modern interface for better readability.
- Optimized performance — rebuilt a lighter, more efficient xsser for reduced RAM and CPU usage.
- Simplified installation — xsser is now easier and faster to set up.- Added POST request handling — supports JSON, multipart, and URL-encoded data simultaneously.
- Improved accuracy — slightly slower than previous, but detects significantly more.
- Added WAF detection — instantly identifies web application firewalls from HTTP responses.
- Added colorful terminal output — improved readability with enhanced visual feedback.
- Improved --fuzzer — now shows which characters are blocked or allowed and saves results to a .txt file.

Blind XSS in xss0r now offers automatic crawling of forms onwebsites, spraying Blind XSS payloads, and saving any triggeredpayloads directly to your account with Telegram notifications. Italso supports injection of Blind XSS payloads in the user-agentheader, capturing all discovered links for manual inspection.Email-specific payloads target only email fields, and Blind XSSdorking has been added for deeper exploration. Additionally, testpages are provided for learning and practicing Blind XSS techniques.Telegram and Email Notifications Event Payloads for Account Takeover New Features:
‍All Cookies (Non-HttpOnly): Collects all accessible cookies that are not flagged as HttpOnly for analysis and debugging. Referrer Information: Retrieves the referring URL to identify the source of traffic to the page.
‍IP Address of the Target Client: Captures the public IP address and provides approximate location details, including city, region, and country.
‍Browser Language Information: Detects the browser's language settings to support localization and customization.
‍Browser Name and Version: Identifies the browser name and version using the User-Agent string.
‍Screenshot of DOM Structure: Generates a visual screenshot of the current DOM structure for debugging and reporting purposes. Screen Resolution: Collects the screen resolution and window size of the client’s device.
‍Graphics Card Information: Retrieves detailed GPU information, including vendor and renderer.
‍Battery Status: Tracks the device’s battery level and charging status when supported by the browser.
‍Network Information: Captures the network type (e.g., Wi-Fi, 4G) and downlink speed. Local Storage and Session Storage: Extracts data stored in the client’s local and session storage.
‍Form Inputs: Collects values from all form inputs, including text fields, text areas, and dropdowns, on the page.
‍Page Metadata: Gathers essential page metadata, including the page title, URL, and full HTML structure.
‍Plugins and Mime Types: Retrieves a list of installed browser plugins and supported MIME types.
‍Admin Panel Accessibility Check: Attempts to access the /admin endpoint to verify if it is accessible and logs the response status.
‍API Key Discovery in Scripts: Scans all script files loaded on the page to identify potential API keys in their content.