101 Switching Domain: Visit Our Brand New Domain! It's Shorter & More Powerful: blackbird.eu →

A False-Positive Free XSS Scanner

No more worries about getting notified of non-existing vulnerabilities.

  • GET-based, POST-based & Blind Cross-Site Scripting
  • Fast Scans
  • No False Positives
  • Scan for XSS

    Advanced & Versatile In So Many Ways.

    From false-positive free results to clear & dynamically generated steps-to-reproduce.

    XSSCANNER Product Image
    Simulate Penetration Tester's Behaviour
    Perform an automated series of effective tests to identify, exploit and verify a cross-site scripting vulnerability.
    Blazing Fast
    Scan multiple URLs concurrently with our multi-threaded scanners.
    False-Positive Free
    Our integrated <span className='text-indigo-600'>Validator Engine</span> drops false-positive rates to 0%.
    Advanced Payload Set
    With our specially crafted payload list generated for each context, it is more than capable of evading strict patterns and WAF rules.
    Detailed Reports
    Receive detailed reports with actionable steps. Even for edge-cases requiring multiple steps from the end-user, for example a click or a mouse enter event.
    Instant Notifications
    Receive instant notifications once an cross-site scripting vulnerability is discovered. Regardless of the scans' progress status.
    Try XSSCANNER

    FAQ

    Frequently asked questions

    XSScanner is capable of identifying and verifying GET-based & POST-based cross-site scripting vulnerabilities at the moment. Including ones that require additional input from the user to trigger (view our demo video for more information)!

    Yes, you can manually supply multiple URLs at the same time.

    Additionally, you can also initiate a Deep Scan and automate the whole process from content discovery to scanning for CWE-79!

    No, at the moment, only GET-based & POST-based XSS vulnerabilities are supported.

    Later generations of our XSScanner will include support for DOM-based XSS.

    No, the first generation of XSSCANNER is currently not capable of finding more advanced CSP bypasses for certain edge-cases.

    Later generations of our XSScanner will include full support for Content Security Policy bypasses.

    Yes it is! You can easily supply request headers (including any authentication headers) to reach parts behind a login form!

    Yes, Blind XSS is supported using our integrated callback server. Our XSS scanner automatically injects payloads with your personal blind XSS payload.

    Contact usScan for XSS