Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.


  • Easy to use dashboard with statistics, payloads, view/share/search reports
  • Payload generator
  • Instant alerts via mail, Telegram or custom callback URL
  • Custom javascript payloads
  • Custom payload links to distinguish insert points
  • Block, whitelist and other filters
  • Share reports with a direct link, via email or with other ezXSS users
  • Secure your login with Two-factor (2FA)
  • The following information can be collected on a vulnerable page:
    • The URL of the page
    • IP Address
    • Any page referer (or share referer)
    • The User-Agent
    • All Non-HTTP-Only Cookies
    • All Locale Storage
    • All Session Storage
    • Full HTML DOM source of the page
    • Page origin
    • Time of execution
    • Payload URL
    • Screenshot of the page
    • Extract additional defined pages
  • its just ez :-)


  • Server or hosting with PHP 7.1 or up
  • Domain name (consider a short one)
  • SSL Certificate if you want to test on https websites (consider Cloudflare or Let's Encrypt for a free SSL)


ezXSS is ez to install with Apache, NGINX or Docker

visit the wiki for installation instructions.

Live demo

For a demo visit with password demo1234. Please note that some features might be disabled in the demo version.