Show Menu

XSS Tools Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.


XSSer, xsssniper, XSScrapy are just a few available
Interc­eption proxies afford important capabi­lities including manual discovery and verifi­cation of XSS flaws, facili­tating fuzzing and finding less obvious locations for injection including User-A­gents, Cookies, HTTP Headers, and Referer.

Burp Intruder

Assists with manual or automated fuzzing for XSS reflection tests.
Use Battering Ram, which submits 1 payload at multiple positions simult­ane­ously.
Injection points can include URL parame­ters, HTTP User-A­gent, HTTP Referer, Cookies and more.
Grep Payloads is an options in Burp Intruder that searches the applic­ations response for the submitted payload.
Combining Battering Ram and Grep Payloads automates fuzzing multiple injection point per request and resolving whether the payload is in the response.
Sniper can follow the combin­ation to determine which injection point reflected.


Python­-based tool that attempts to automate reflection testing.
Simple and quick, it can perform spidering, scan the target and inject with simple syntax.
xsssniper -u "­URI­" --crawl --forms
--crawl instructs it to crawl a site for entry points
--forms instructs it to look for injectable forms
--http­-proxy [IP: Port #] Runs it through a proxy


Python­-based XSS discovery tool with command and GTK GUI interface that has a wizard.
--heur­istics attempts to determine filtering used by the app
Bypass techniques included:
--hex hexade­cimal encoding
--dec decimal
--une unescape()
Can be pointed at a proxy with --proxy
Contains options to discover XSS flaws in HTTP User-A­gent, HTTP-R­eferer, HTTP Cookies and others.
Has a list of potential XSS payloads, though they have no been recently updated.


Python­-based XSS spider.
Uses "­mag­ic" reflection string of 9zqjx to attempt to discover potent­ially reflected input and location. This string can prepended and appended to payloads as well.
Will employ one of 3 payloads based on location:
The focus is on using innocuous input followed by a crafted payload to determine filtering and injection effici­ently.
Typically has reduced false positives.

Reflected POST

Getting users to send a GET request via a malicious link or fetching a resource is fairly simple
Getting a user to send a malicious POST is trickier.
Hosting a malicious HTML form on an attacker controlled site provides an easy strategy, especially if the form is hidden and automa­tically submits.
Ensure the target supports parameters being passed as query parame­ters.
HTTP Post does not use URL for parameters but instead sends variables in the payload of the request.
get2po­ is a Python script that you pass the target and PST payloads as URL parame­ters. It produces a GETified URL that uses the target parameter for redire­ction and additional query parameters become POST payloads.