Advanced XSS Detection and Exploitation Suite: XSStrike

ID N0WHERE:172021
Type n0where
Reporter N0where
Modified 2018-11-15T05:14:37


XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler. Instead of injecting payloads and checking it works like all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine

Advanced XSS Detection and Exploitation Suite: XSStrike

Main Features

  • Reflected and DOM XSS scanning
  • Multi-threaded crawling
  • Context analysis
  • Configurable core
  • WAF detection & evasion
  • Intelligent payload generator
  • Handmade HTML & JavaScript parser
  • Powerful fuzzing engine
  • Blind XSS support
  • Highly researched work-flow
  • Complete HTTP support
  • Bruteforce payloads from a file
  • Powered by Photon , Zetanize and Arjun
  • Payload Encoding


Python Versions

XSStrike is fully compatible with python versions >= 3.4

Operating Systems

XSStrike has been tested on Linux (Arch, Debian, Ubnutu), Termux, Windows (7 & 10), Mac, and works as expected. Feel free to report any bugs you encounter.


Mac & Windows don’t support ANSI escape sequences so the output won’t be colored on Mac & Windows.


  • tld
  • requests
  • fuzzywuzzy


usage: [-h] [-u TARGET] [--data DATA] [-t THREADS]
                   [--fuzzer] [--update] [--timeout] [--params] [--crawl] [--blind]
                   [--verbose] [--skip-dom] [--headers] [--proxy] [-d DELAY] [-e ENCODING]

optional arguments:
  -h, --help            show this help message and exit
  -u, --url             target url
  --data                post data
  -v, --verbose         verbose output
  -f, --file            load payloads from a file
  -t, --threads         number of threads
  -l, --level           level of crawling
  -t, --encode          payload encoding
  --fuzzer              fuzzer
  --update              update
  --timeout             timeout
  --params              find params
  --crawl               crawl
  --proxy               use prox(y|ies)
  --blind               inject blind xss payloads while crawling
  --skip                skip confirmation dialogue and poc
  --skip-dom            skip dom checking
  --headers             add headers
  -d, --delay           delay between requests

Advanced XSS Detection and Exploitation Suite: XSStrike Download