Automatic XSS filter bypass
Latest commit 76196b6 Aug 20, 2015 @mauro-g Update
Failed to load latest commit information.
lib Initial import Oct 15, 2012
payloads Initial import Oct 15, 2012
src test vulnerable pages via URI (w/o HTTP GET parameter) Dec 11, 2012 Update Aug 20, 2015
build.xml Initial import Oct 15, 2012


Automatic XSS filter bypass


snuck is an automatic tool whose goal is to significantly test a given XSS filter by specializing the injections on the basis of the reflection context. This approach adopts Selenium to drive a web browser in reproducing both the attacker and the victim behavior.

Learn about snuck

Visit the tutorial for further information about the tool and the user guide.

Research papers

The methodology, evaluation, and implementation of snuck is described in a technical report:

  • Fabrizio d'Amore, Mauro Gentile: Automatic and Context-Aware Cross-Site Scripting Filter Evasion. Department of Computer, Control, and Management Engineering Antonio Ruberti Technical Reports, Technical Report n. 4, Sapienza University of Rome, 2012. [Paper]


The project is no longer under active development since June 2013, and it was exported from Google Code. Latest code changes were applied to the 0.1.1 branch.

snuck is released under the Apache 2.0 license.