{"id":13454551,"url":"https://github.com/s0md3v/XSStrike","last_synced_at":"2025-03-24T06:30:51.448Z","repository":{"id":37514594,"uuid":"95419982","full_name":"s0md3v/XSStrike","owner":"s0md3v","description":"Most advanced XSS scanner.","archived":false,"fork":false,"pushed_at":"2025-02-24T19:41:34.000Z","size":1183,"stargazers_count":13687,"open_issues_count":100,"forks_count":1946,"subscribers_count":275,"default_branch":"master","last_synced_at":"2025-03-15T17:13:37.002Z","etag":null,"topics":["waf-detection","xss","xss-bruteforce","xss-detection","xss-exploit","xss-python","xss-scanner","xsstrike"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/s0md3v.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"s0md3v","custom":"https://paypal.me/s0md3v"}},"created_at":"2017-06-26T07:24:44.000Z","updated_at":"2025-03-15T16:16:44.000Z","dependencies_parsed_at":"2023-02-19T08:46:20.808Z","dependency_job_id":"c9fb2780-124b-4494-a9fc-32ddd623d382","html_url":"https://github.com/s0md3v/XSStrike","commit_stats":{"total_commits":416,"total_committers":28,"mean_commits":"14.857142857142858","dds":"0.10336538461538458","last_synced_commit":"f29278760453996c713af908376d6dab24e61692"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FXSStrike","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FXSStrike/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FXSStrike/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FXSStrike/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/s0md3v","download_url":"https://codeload.github.com/s0md3v/XSStrike/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245222262,"owners_count":20580118,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["waf-detection","xss","xss-bruteforce","xss-detection","xss-exploit","xss-python","xss-scanner","xsstrike"],"created_at":"2024-07-31T08:00:55.295Z","updated_at":"2025-03-24T06:30:51.442Z","avatar_url":"https://github.com/s0md3v.png","language":"Python","readme":"\u003ch1 align=\"center\"\u003e\n  \u003cbr\u003e\n  \u003ca href=\"https://github.com/s0md3v/XSStrike\"\u003e\u003cimg src=\"https://image.ibb.co/cpuYoA/xsstrike-logo.png\" alt=\"XSStrike\"\u003e\u003c/a\u003e\n  \u003cbr\u003e\n  XSStrike\n  \u003cbr\u003e\n\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eAdvanced XSS Detection Suite\u003c/h4\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/s0md3v/XSStrike/releases\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/release/s0md3v/XSStrike.svg\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://travis-ci.com/s0md3v/XSStrike\"\u003e\n    \u003cimg src=\"https://img.shields.io/travis/com/s0md3v/XSStrike.svg\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/s0md3v/XSStrike/issues?q=is%3Aissue+is%3Aclosed\"\u003e\n      \u003cimg src=\"https://img.shields.io/github/issues-closed-raw/s0md3v/XSStrike.svg\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n![multi xss](https://image.ibb.co/gOCV5L/Screenshot-2018-11-19-13-33-49.png)\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/s0md3v/XSStrike/wiki\"\u003eXSStrike Wiki\u003c/a\u003e •\n  \u003ca href=\"https://github.com/s0md3v/XSStrike/wiki/Usage\"\u003eUsage\u003c/a\u003e •\n  \u003ca href=\"https://github.com/s0md3v/XSStrike/wiki/FAQ\"\u003eFAQ\u003c/a\u003e •\n  \u003ca href=\"https://github.com/s0md3v/XSStrike/wiki/For-Developers\"\u003eFor Developers\u003c/a\u003e •\n  \u003ca href=\"https://github.com/s0md3v/XSStrike/wiki/Compatibility-\u0026-Dependencies\"\u003eCompatibility\u003c/a\u003e •\n  \u003ca href=\"https://github.com/s0md3v/XSStrike#gallery\"\u003eGallery\u003c/a\u003e\n\u003c/p\u003e\n\nXSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.\n\nInstead of injecting payloads and checking it works like all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine.\nHere are some examples of the payloads generated by XSStrike:\n```\n}]};(confirm)()//\\\n\u003cA%0aONMouseOvER%0d=%0d[8].find(confirm)\u003ez\n\u003c/tiTlE/\u003e\u003ca%0donpOintErentER%0d=%0d(prompt)``\u003ez\n\u003c/SCRiPT/\u003e\u003cDETAILs/+/onpoINTERenTEr%0a=%0aa=prompt,a()//\n```\nApart from that, XSStrike has crawling, fuzzing, parameter discovery, WAF detection capabilities as well. It also scans for DOM XSS vulnerabilities.\n\n### Sponsored By\nWebsite: [https://iproyal.com/?r=800974](https://iproyal.com/?r=800974)\n\n\u003ca href=\"https://iproyal.com/?r=800974\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/s0md3v/s0md3v.github.io/refs/heads/main/imgs/inline/iproyal.png\"\u003e\u003c/a\u003e\n\n### Main Features\n- Reflected and DOM XSS scanning\n- Multi-threaded crawling\n- Context analysis\n- Configurable core\n- WAF detection \u0026 evasion\n- Outdated JS lib scanning\n- Intelligent payload generator\n- Handmade HTML \u0026 JavaScript parser\n- Powerful fuzzing engine\n- Blind XSS support\n- Highly researched work-flow\n- Complete HTTP support\n- Bruteforce payloads from a file\n- Powered by [Photon](https://github.com/s0md3v/Photon), [Zetanize](https://github.com/s0md3v/zetanize) and [Arjun](https://github.com/s0md3v/Arjun)\n- Payload Encoding\n\n### Installation\nEnter the following commands one by one in terminal:\n```\ngit clone https://github.com/s0md3v/XSStrike\ncd XSStrike\npip install -r requirements.txt --break-system-packages\n```\n\nNow, XSStrike can be used at any time as follows:\n```\npython xsstrike.py\n```\n\n### Documentation\n- [Usage](https://github.com/s0md3v/XSStrike/wiki/Usage)\n- [Compatibility \u0026 Dependencies](https://github.com/s0md3v/XSStrike/wiki/Compatibility-\u0026-Dependencies)\n\n### FAQ\n- [It says fuzzywuzzy isn't installed but it is.](https://github.com/s0md3v/XSStrike/wiki/FAQ#it-says-fuzzywuzzy-is-not-installed-but-its)\n- [What's up with Blind XSS?](https://github.com/s0md3v/XSStrike/wiki/FAQ#whats-up-with-blind-xss)\n- [Why XSStrike boasts that it is the most advanced XSS detection suite?](https://github.com/s0md3v/XSStrike/wiki/FAQ#why-xsstrike-boasts-that-it-is-the-most-advanced-xss-detection-suite)\n- [I like the project, what enhancements and features I can expect in future?](https://github.com/s0md3v/XSStrike/wiki/FAQ#i-like-the-project-what-enhancements-and-features-i-can-expect-in-future)\n- [What's the false positive/negative rate?](https://github.com/s0md3v/XSStrike/wiki/FAQ#whats-the-false-positivenegative-rate)\n- [Tool xyz works against the target, while XSStrike doesn't!](https://github.com/s0md3v/XSStrike/wiki/FAQ#tool-xyz-works-against-the-target-while-xsstrike-doesnt)\n- [Can I copy it's code?](https://github.com/s0md3v/XSStrike/wiki/FAQ#can-i-copy-its-code)\n- [What if I want to embed it into a proprietary software?](https://github.com/s0md3v/XSStrike/wiki/FAQ#what-if-i-want-to-embed-it-into-a-proprietary-software)\n\n### Gallery\n#### DOM XSS\n![dom xss](https://image.ibb.co/bQaQ5L/Screenshot-2018-11-19-13-48-19.png)\n#### Reflected XSS\n![multi xss](https://image.ibb.co/gJogUf/Screenshot-2018-11-19-14-19-36.png)\n#### Crawling\n![crawling](https://image.ibb.co/e6Rezf/Screenshot-2018-11-19-13-50-59.png)\n#### Fuzzing\n![fuzzing](https://image.ibb.co/fnhuFL/Screenshot-2018-11-19-14-04-46.png)\n#### Bruteforcing payloads from a file\n![bruteforcing](https://image.ibb.co/dy5EFL/Screenshot-2018-11-19-14-08-36.png)\n#### Interactive HTTP Headers Prompt\n![headers](https://image.ibb.co/ecNph0/Screenshot-2018-11-19-14-29-35.png)\n#### Hidden Parameter Discovery\n![arjun](https://image.ibb.co/effjh0/Screenshot-2018-11-19-14-16-51.png)\n\n### Contribution, Credits \u0026 License\nWays to contribute\n- Suggest a feature\n- Report a bug\n- Fix something and open a pull request\n- Help me document the code\n- Spread the word\n\nLicensed under the GNU GPLv3, see [LICENSE](LICENSE) for more information.\n\nThe WAF signatures in `/db/wafSignatures.json` are taken \u0026 modified from [sqlmap](https://github.com/sqlmapproject/sqlmap). I extracted them from sqlmap's waf detection modules which can found [here](https://github.com/sqlmapproject/sqlmap/blob/master/waf/) and converted them to JSON.\\\n`/plugins/retireJS.py` is a modified version of [retirejslib](https://github.com/FallibleInc/retirejslib/).\n","funding_links":["https://github.com/sponsors/s0md3v","https://paypal.me/s0md3v"],"categories":["Python","Exploitation","Uncategorized","\u003ca id=\"tag-dev\" href=\"#tag-dev\"\u003eDev\u003c/a\u003e","Tools","Weapons","Python (1887)","\u003ca id=\"132036452bfacf61471e3ea0b7bf7a55\"\u003e\u003c/a\u003e工具","\u003ca id=\"8f92ead9997a4b68d06a9acf9b01ef63\"\u003e\u003c/a\u003e扫描器\u0026\u0026安全扫描\u0026\u0026App扫描\u0026\u0026漏洞扫描","BUG BOUNTY / SECURITY RESEARCH","Credentials"],"sub_categories":["XSS","Uncategorized","\u003ca id=\"tag-dev.security\" href=\"#tag-dev.security\"\u003eSecurity\u003c/a\u003e","Offensive","XSS Injection","Tools","\u003ca id=\"de63a029bda6a7e429af272f291bb769\"\u003e\u003c/a\u003e未分类-Scanner","Web Security Testing","WebServers"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs0md3v%2FXSStrike","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fs0md3v%2FXSStrike","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs0md3v%2FXSStrike/lists"}