XSStrike is a Cross-Site Scripting detection suite equipped with four handwritten parsers, an intelligent payload generator, a powerful fuzzing engine, and an incredibly fast crawler.

Instead of injecting payloads and checking it works as all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine. Here are some examples of the payloads generated by XSStrike:


Apart from that, XSStrike has crawling, fuzzing, parameter discovery, WAF detection capabilities as well. It also scans for DOM XSS vulnerabilities.


First you’ll need to clone it from the git repo:

$ git clone https://github.com/s0md3v/XSStrike.git

Then naviagate to XSStrike directory and install the requirements:

$ cd XSStrike
$ pip install -r requirements.txt

To run XSStrike:

$ python xsstrike


To list all available arguments, type --help:

usage: xsstrike.py [-h] [-u TARGET] [--data DATA] [-t THREADS]
                   [--fuzzer] [--update] [--timeout] [--params] [--crawl]
                   [--skip-poc] [--skip-dom] [--headers] [-d DELAY]

optional arguments:
  -h, --help            show this help message and exit
  -u, --url             target url
  --data                post data
  -t, --threads         number of threads
  -l, --level           level of crawling
  --fuzzer              fuzzer
  --update              update
  --timeout             timeout
  --params              find params
  --crawl               crawl
  --skip-poc            skip poc generation
  --skip-dom            skip dom checking
  --headers             add headers
  -d, --delay           delay between requests

Scan a single URL example

  • Option: -u or --url

To test a single webpage which uses GET method:

$ python xsstrike.py -u "http://example.com/search.php?q=query"

Supplying POST data:

$ python xsstrike.py -u "http://example.com/search.php" --data "q=query"

Crawling example

  • Option: --crawl

To start crawling from the target webpage, run:

$ python xsstrike.py -u "http://example.com/page.php" --crawl

Finding hidden parameters:

  • Option: --params
$ python xsstrike.py -u "http://example.com/page.php" --params

Main Features

  • Reflected and DOM XSS scanning
  • Multi-threaded crawling
  • Context analysis
  • Configurable core
  • WAF detection & evasion
  • Outdated JS lib scanning
  • Intelligent payload generator
  • Handmade HTML & JavaScript parser
  • Powerful fuzzing engine
  • Blind XSS support
  • Highly researched work-flow
  • Complete HTTP support
  • Bruteforce payloads from a file
  • Powered by PhotonZetanize and Arjun
  • Payload Encoding



Reflected XSS



Bruteforcing payloads from a file

Interactive HTTP Headers Prompt

Hidden Parameter Discovery

Contribution, Credits & License

Ways to contribute

  • Suggest a feature
  • Report a bug
  • Fix something and open a pull request
  • Create a browser extension
  • Create a burp suite/zaproxy plugin
  • Help me document the code
  • Spread the word