Skip to content


Switch branches/tags


Failed to load latest commit information.
Latest commit message
Commit time

ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.


  • Easy to use dashboard with statistics, payloads, view/share/search reports
  • Payload generator
  • Instant alerts via mail, Telegram or custom callback URL
  • Custom javascript payloads
  • Custom payload links to distinguish insert points
  • Block, whitelist and other filters
  • Share reports with a direct link, via email or with other ezXSS users
  • Secure your login with Two-factor (2FA)
  • The following information can be collected on a vulnerable page:
    • The URL of the page
    • IP Address
    • Any page referer (or share referer)
    • The User-Agent
    • All Non-HTTP-Only Cookies
    • All Locale Storage
    • All Session Storage
    • Full HTML DOM source of the page
    • Page origin
    • Time of execution
    • Payload URL
    • Screenshot of the page
    • Extract additional defined pages
  • its just ez :-)


  • Server or hosting with PHP 7.1 or up
  • Domain name (consider a short one)
  • SSL Certificate if you want to test on https websites (consider Cloudflare or Let's Encrypt for a free SSL)


ezXSS is ez to install with Apache, NGINX or Docker

visit the wiki for installation instructions.

Live demo

For a demo visit with password demo1234. Please note that some features might be disabled in the demo version.