Context-aware reflected & DOM XSS scanner with WAF detection and evasion
Project description
StingXSS
Context-aware XSS scanner — reflected, DOM, stored, and confirmed browser XSS with WAF detection and evasion. No Burp license. Just findings.
pip install stingxss
pip install stingxss[browser] # + headless browser engine
Point it at a target. Get findings. Drop it in a pipeline.
Why use StingXSS?
- Reads context first —
<script>blocks, attribute values, template literals, event handlers, and URL attributes all get tailored payloads. - Confirms execution — checks if the injected tag ran, not just reflected. The browser engine intercepts actual
alert()calls. - Finds what HTTP scanners miss — hash-fragment SPA routes (
#/path?param=) are invisible to every scanner that only looks at HTTP requests. - Evades WAFs automatically — rotates 10 encoding transforms when a straight payload is blocked.
- No browser required for most scans — DOM XSS via static analysis, runs anywhere Python runs. Add
[browser]only when you need execution proof. - Pipeline-native — JSON output, clean exit codes, Python API.
Quick start
stingxss -u "https://target.com/search?q=test"
stingxss -u "https://target.com/#/search?q=test" --browser
stingxss -u "https://target.com/" --crawl --level 3 -o results.json
stingxss -u "https://target.com/comment" --blind "https://xyz.oast.me"
stingxss -u "https://target.com/login" -d "user=test&pass=test" -c "session=abc"
stingxss -u "https://target.com/" --inject-headers Referer --inject-headers X-Forwarded-For
stingxss -L urls.txt --level 2 --crawl -o results.json
stingxss -u "https://target.com/search?q=x" --proxy http://127.0.0.1:8080 --delay 0.5 -v
Run with no arguments for interactive wizard mode.
What it finds
| Capability | Details |
|---|---|
| Reflected XSS | Unique probe markers, context detection, context-aware payloads |
| Confirmed Browser XSS | Headless Chromium intercepts alert() / confirm() — no false positives |
| DOM XSS | Static source-to-sink analysis — 28 sources, 43 sinks, no browser needed |
| Blind XSS | OOB callback variants across crawled forms |
| Stored XSS | Inject via params/headers, revisit candidate pages to confirm execution |
| Header injection | Arbitrary headers tested for reflection and stored execution |
| SPA / hash-route support | Discovers #/path?param= invisible to HTTP-layer scanners |
| 28 HTML/JS contexts | html_body, attr_*, script_string/bare/template, event_handler, url_attr, css, html_comment, Angular/Vue templates + more |
| WAF fingerprinting | Cloudflare, Akamai, Imperva, AWS WAF, ModSecurity, Sucuri, F5 BIG-IP, Barracuda, Wordfence, FortiWeb |
| WAF evasion | 10 transforms: case mixing, HTML encode, Unicode escape, double URL encode, chunked tags, null byte, newline inject, comment break, backtick attr, CSS expression |
| CORS misconfiguration | Dynamic reflection, bypass patterns, credential exposure |
| Prototype pollution | Parameter-based prototype pollution payload injection |
| DOM clobbering | Payloads targeting clobberable DOM properties |
| Clickjacking | Missing/misconfigured X-Frame-Options and frame-ancestors |
| HSTS | Missing or weak Strict-Transport-Security headers |
| SRI | <script> and <link> tags missing integrity attributes |
| JSONP | Callback parameter detection and exploitation |
| Mixed content | HTTPS pages loading HTTP resources |
| Open redirect | Parameter-based redirect detection |
| Vulnerable libraries | Known CVEs in detected client-side JS libraries |
| Crawler | Multi-threaded BFS, same-origin, captures hidden inputs |
| External JS | Fetches and analyses <script src> files for DOM XSS |
| Bulk scanning | -L / --url-list scans a whole target list in one shot |
Browser engine
Headless Chromium pass that confirms JavaScript execution — not just reflection.
pip install stingxss[browser]
stingxss -u "https://target.com/#/search?q=test" --browser
Python API
from stingxss import scan, ScanOptions
result = scan("https://target.com/search?q=test")
print(f"{result.total_findings} finding(s) in {result.duration_s:.1f}s")
Install from source
git clone https://github.com/CommonHuman-Lab/stingxss.git
cd stingxss
pip install -e .
pip install -e ".[browser]" # optional browser engine
Requires Python 3.10+. No C extensions.
📜 License
Licensed under the AGPLv3. You are free to use, modify, and distribute this software. If you run it as a service or distribute it, the source must remain open.
For commercial licensing, contact the author.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
stingxss-0.1.1.tar.gz
(120.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
stingxss-0.1.1-py3-none-any.whl
(103.8 kB
view details)
File details
Details for the file stingxss-0.1.1.tar.gz.
File metadata
- Download URL: stingxss-0.1.1.tar.gz
- Upload date:
- Size: 120.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c3fe854dd96fac9b14af5d8a0537acb485033811e474096dae20563b8db47956
|
|
| MD5 |
f923d0535b48eec37218709800ad611a
|
|
| BLAKE2b-256 |
fbccc03b837941764cac3b96656e9dcd8e8d6bb9a17fe550b53538396e293310
|
File details
Details for the file stingxss-0.1.1-py3-none-any.whl.
File metadata
- Download URL: stingxss-0.1.1-py3-none-any.whl
- Upload date:
- Size: 103.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d08d81228a5283a45f0b3e3dd2730b631f3f5e401832389027d3c916e25e9852
|
|
| MD5 |
b2d647d4416aad5ee487c60ecf1545e7
|
|
| BLAKE2b-256 |
e07ad6422608d2758fe1b554453cdecc85ba945780719706da4bf02fedc0f945
|
