XSS Tester is a Python-based tool designed to test websites for Stored and Reflected Cross-Site Scripting (XSS) vulnerabilities, specifically targeting the CVE-2020-11023 jQuery < 3.5.0 DOM-based XSS bug. It provides a user-friendly interface with rich console output and supports advanced features like web crawling, WebSocket testing, and customizable payloads.
Authors: z3r0 & gassal
Contact: Instagram@zerodefacer
- Tests for Stored and Reflected XSS vulnerabilities.
- Supports multiple domain extensions (e.g., .com, .org, .net, .io).
- Customizable HTTP headers, cookies, URL parameters, and POST data.
- Web crawling to discover additional URLs.
- WebSocket testing for XSS vulnerabilities.
- Fetches XSS payloads from GitHub and CVE data from NIST NVD API.
- Outputs results in table, JSON, or CSV format.
- Configurable scan levels (light, medium, deep) and payload filters.
- Proxy support for anonymized testing.
- Clone the repository:
git clone https://github.com/zero666/xss-tester.git cd xss-tester - Install dependencies:
pip install -r requirements.txt
- Install Playwright browsers:
playwright install
See requirements.txt for the full list of dependencies. Key libraries include:
richrequestsaiohttpwebsocketsplaywright
Run the script with the required -u/--url parameter to specify the target domain (without extension). Example commands:
python xss_tester.py -u testsite -l com,org
python xss_tester.py -u example -l com -t 10 --timeout 10000 --payload-filter script --proxy http://proxy:8080| Option | Long Form | Description |
|---|---|---|
-u |
--url |
Target domain (without extension, e.g., testsite) [Required] |
-l |
--extensions |
Domain extensions to test (e.g., com,org or all) |
-t |
--threads |
Number of threads (default: 5) |
-v |
--verbose |
Verbosity level (0: minimal, 1: normal, 2: detailed) |
-d |
--payload-filter |
Payload filter (e.g., script, img, svg, all) |
-p |
--max-payloads |
Maximum number of payloads (0 = all) |
--params |
--params |
Additional URL parameters (e.g., q=test,id=123) |
--data |
--data |
POST request data (e.g., username=test) |
--json |
--json |
Output results in JSON format |
--cookie |
--cookie |
Cookies for testing (e.g., session=abc123) |
--timeout |
--timeout |
Test timeout in milliseconds (default: 5000) |
--level |
--level |
Scan level (1: light, 2: medium, 3: deep) |
--skip-dom |
--skip-dom |
Skip DOM-based XSS tests |
--skip-reflect |
--skip-reflect |
Skip Reflected XSS tests |
--crawl |
--crawl |
Enable web crawler |
--seeds |
--seeds |
Seed URLs for crawling (comma-separated) |
--path |
--path |
Specific path to test (e.g., /comments) |
--log |
--log |
Path to log file (default: xss.log) |
--output |
--output |
Output file path (e.g., results.csv) |
--update |
--update |
Update payloads and CVE list |
--cve-api-key |
--cve-api-key |
API key for CVE data (e.g., NIST NVD API key) |
--proxy |
--proxy |
Proxy server (e.g., http://proxy:8080) |
The tool provides a rich console interface with colorful banners and tables. Results are saved in the specified format (table, JSON, or CSV). Successful XSS payloads are logged, and exploits are saved in the exploits/ directory.
This tool is intended for authorized security testing and educational purposes only. Unauthorized use on systems you do not own or have explicit permission to test is illegal. Always obtain permission from the system owner before testing. The authors are not responsible for any misuse or damage caused by this tool.
This project is licensed under the MIT License. See the LICENSE file for details.
Contributions are welcome! Please submit a pull request or open an issue on GitHub.
For questions or feedback, contact us via Instagram: @zerodefacer