XSSProbe

Description

Probes URLs for reflective XSS with context-aware payloads and reports likely vulnerabilities as JSON lines. Non-destructive; uses marker-based payloads and response context analysis.

XSSProbe sends crafted, context-aware payloads to specified URL parameters and analyzes the returned HTML for reflections and risky contexts (script blocks, on* attributes, injected tags). It does not execute JavaScript; instead, it uses static analysis to score likelihood. Use DryRun to preview planned tests.

Parameters

  • Urls (string[], required): One or more target URLs. Include existing query parameters where possible.
  • Method (string, optional, default=GET): GET or POST. For POST, supply FormFields or BodyJson.
  • Params (string[], optional): Specific parameter names to inject. If omitted, the tool uses existing query/form keys; if none, defaults to ["q"].
  • BodyJson (string, optional): JSON object string used as POST body; target params are set to payloads.
  • FormFields (hashtable, optional): POST form key/value pairs; target params are set to payloads.
  • Headers (hashtable, optional): Extra HTTP headers to include.
  • Cookies (hashtable, optional): Cookies to include (name=value pairs); sent via Cookie header.
  • PayloadSet (string, optional, Default|Edge|Aggressive; default=Default): Selects built-in payload templates.
  • CustomPayloads (string[], optional): Custom payload templates. Use token {{MARK}} where a unique marker should be placed.
  • ThrottleMs (int, optional, default=0): Milliseconds to wait between requests.
  • TimeoutSeconds (int, optional, default=20): Per-request timeout in seconds.
  • StopOnFirst (switch, optional): Stop after first high-confidence finding.
  • FindingsOnly (switch, optional): Emit only finding lines. Otherwise, a final summary JSON is printed.
  • DryRun (switch, optional): Do not send requests; print a JSON description of planned tests.
  • ScopeHostPattern (string, optional, default=.*): A regex that tested hostnames must match; others are skipped.
  • UserAgent (string, optional): Custom User-Agent string.

Output

  • JSON lines for each finding with fields: url, method, param, payloadName, statusCode, confidence, contexts, snippet, notes.
  • If FindingsOnly is not set, emits a final JSON summary with test counts.

Notes

  • Focuses on reflective XSS and static DOM heuristics. DOM-execution and stored XSS require a headless browser or persistence workflow and are out of scope for this MVP.
  • Be respectful of program rules. Use ThrottleMs and ScopeHostPattern to stay safe.
Scroll to Top