An XSS tool is designed to identify Cross-Site Scripting vulnerabilities in web applications. Penetration testers employ these tools to detect security weaknesses that may enable attackers to inject malicious code, thereby enhancing the overall security posture of web applications.
Our tool detects a range of XSS vulnerabilities, including reflected, stored, DOM-based, path-based, blind XSS, as well as vulnerabilities in both GET and POST requests.
Our user-friendly interface enables you to effortlessly modify existing payloads or create custom payloads tailored to specific testing scenarios.
Yes! We’ve made significant improvements:
+300 new payloads have been added to every plan.
Golden and Business plans now include
500+ new payloads, covering a wide variety of WAFs.
New Fuzzing Feature: This feature performs static analysis based on page source reflection and allowed characters. It generates and automates payloads intelligently, using only the characters allowed by the target application.
Clickable Payloads: xss0r V3 introduces a feature for payloads requiring user interaction, such as <ClickME> buttons. The tool automatically performs POST requests with these payloads, clicks on them, and completes all actions on your behalf.
Yes, we offer a DEMO service that clients can request at any time, allowing for a 5-day testing period. Additionally, we provide a free access key for new users on the 10th to 15th of every month, enabling them to test the tool before making a purchase, specifically for the PRO plan.
Yes, xss0r supports JSON web applications, allowing for detailed testing of JSON payloads and data structures.
xss0r offers advanced search and filter capabilities, allowing users to quickly locate specific vulnerabilities and tailor their testing approach.
xss0r now includes Blind XSS functionality, allowing automated testing of reflected vulnerabilities over time. It sends payloads to trigger XSS even in delayed interactions.
Yes! xss0r V3 fully supports macOS, Ubuntu (latest version), and is compatible with all Linux platforms.
The built-in crawler searches through HTML, XML, and JS tags to discover URLs. It also identifies input forms, such as usernames, feedback, and comment fields, and can automatically submit Blind XSS payloads using the new --spray feature.
When purchasing any XSS Plan, please use a valid email address during registration. API access will be provided within 6 to 12 hours after purchase, though it often arrives sooner. The xss0r tool will be accessible after purchasing a plan, and the API key will be sent to the registered email. If you do not receive your API access within 12 hours, please reach out directly through Support Chat or X.
Introducing xss0r V3:
Session Control: Save (--save) and resume (--resume) your scanning sessions. Custom Headers: Use a custom User-Agent with --user-agent.
Stealth Modes: Bypass modern WAFs with low/medium/high --stealth settings.
Plan Status: Check your current plan features with --status.
ClickMe Automation: Trigger clickable payload techniques using the ClickMe Keyboard Press.
Enhanced BlindXSS: New and improved BlindXSS capabilities.
Updated Chrome: Better performance with the latest Chrome version.
Fresh Look: A new logo marks the updated design.
Experience a faster, smarter, andmore customizable scanning tool with xss0r V3!
Blind XSS in xss0r now offers automatic crawling of forms onwebsites, spraying Blind XSS payloads, and saving any triggeredpayloads directly to your account with Telegram notifications. Italso supports injection of Blind XSS payloads in the user-agentheader, capturing all discovered links for manual inspection.Email-specific payloads target only email fields, and Blind XSSdorking has been added for deeper exploration. Additionally, testpages are provided for learning and practicing Blind XSS techniques.Telegram and Email Notifications Event Payloads for Account Takeover New Features:
All Cookies (Non-HttpOnly): Collects all accessible cookies that are not flagged as HttpOnly for analysis and debugging. Referrer Information: Retrieves the referring URL to identify the source of traffic to the page.
IP Address of the Target Client: Captures the public IP address and provides approximate location details, including city, region, and country.
Browser Language Information: Detects the browser's language settings to support localization and customization.
Browser Name and Version: Identifies the browser name and version using the User-Agent string.
Screenshot of DOM Structure: Generates a visual screenshot of the current DOM structure for debugging and reporting purposes. Screen Resolution: Collects the screen resolution and window size of the client’s device.
Graphics Card Information: Retrieves detailed GPU information, including vendor and renderer.
Battery Status: Tracks the device’s battery level and charging status when supported by the browser.
Network Information: Captures the network type (e.g., Wi-Fi, 4G) and downlink speed. Local Storage and Session Storage: Extracts data stored in the client’s local and session storage.
Form Inputs: Collects values from all form inputs, including text fields, text areas, and dropdowns, on the page.
Page Metadata: Gathers essential page metadata, including the page title, URL, and full HTML structure.
Plugins and Mime Types: Retrieves a list of installed browser plugins and supported MIME types.
Admin Panel Accessibility Check: Attempts to access the /admin endpoint to verify if it is accessible and logs the response status.
API Key Discovery in Scripts: Scans all script files loaded on the page to identify potential API keys in their content.
