Skip to main content

Context-aware reflected & DOM XSS scanner with WAF detection and evasion

Project description

StingXSS

Python PyPI License Security Browser WAF Evasion

Context-aware XSS scanner — reflected, DOM, stored, and confirmed browser XSS with WAF detection and evasion. No Burp license. Just findings.

pip install stingxss
pip install stingxss[browser]  # + headless browser engine

# Install in virtual env
python3 -m venv .venv
source .venv/bin/activate
pip install stingxss[browser]

#Use against target/firerange
stingxss -u "http://127.0.0.1:17477" --browser --crawl --level 2

Point it at a target. Get findings. Drop it in a pipeline.


Why use StingXSS?

  • Reads context first<script> blocks, attribute values, template literals, event handlers, and URL attributes all get tailored payloads.
  • Confirms execution — checks if the injected tag ran, not just reflected. The browser engine intercepts actual alert() calls.
  • Finds what HTTP scanners miss — hash-fragment SPA routes (#/path?param=) are invisible to every scanner that only looks at HTTP requests.
  • WAF-aware — detects common WAFs and applies evasion transforms automatically
  • No browser required for most scans — DOM XSS via static analysis, runs anywhere Python runs. Add [browser] only when you need execution proof.
  • Pipeline-native — JSON output, clean exit codes, Python API.

Quick start

stingxss -u "https://target.com/search?q=test"
stingxss -u "https://target.com/#/search?q=test" --browser
stingxss -u "https://target.com/" --crawl --level 3 -o results.json
stingxss -u "https://target.com/comment" --blind "https://xyz.oast.me"
stingxss -u "https://target.com/login" -d "user=test&pass=test" -c "session=abc"
stingxss -u "https://target.com/" --inject-headers Referer --inject-headers X-Forwarded-For
stingxss -L urls.txt --level 2 --crawl -o results.json
stingxss -u "https://target.com/search?q=x" --proxy http://127.0.0.1:8080 --delay 0.5 -v

# Authenticate before scanning
stingxss -u "https://target.com/dashboard" --login-url "https://target.com/login" \
  --login-user admin --login-pass secret

# Import all endpoints from an OpenAPI / Swagger spec
stingxss -u "https://target.com/" --openapi https://target.com/openapi.json

# Discover JS-rendered endpoints first, then scan everything
stingxss -u "https://target.com/" --browser-crawl --level 2

Run with no arguments for interactive wizard mode.

Full CLI flags reference


What it finds

Capability Details
Reflected XSS Unique probe markers, context detection, context-aware payloads
Confirmed Browser XSS Headless Chromium intercepts alert() / confirm() — no false positives
DOM XSS Static source-to-sink analysis — 28 sources, 43 sinks, no browser needed
Blind XSS OOB callback variants across crawled forms
Stored XSS Inject via params/headers, revisit candidate pages to confirm execution
Header injection Arbitrary headers tested for reflection and stored execution
SPA / hash-route support Discovers #/path?param= invisible to HTTP-layer scanners
28 HTML/JS contexts html_body, attr_*, script_string/bare/template, event_handler, url_attr, css, html_comment, Angular/Vue templates + more
WAF fingerprinting Cloudflare, Akamai, Imperva, AWS WAF, ModSecurity, Sucuri, F5 BIG-IP, Barracuda, Wordfence, FortiWeb
WAF evasion 10 transforms: case mixing, HTML encode, Unicode escape, double URL encode, chunked tags, null byte, newline inject, comment break, backtick attr, CSS expression
CORS misconfiguration Dynamic reflection, bypass patterns, credential exposure
Prototype pollution Parameter-based prototype pollution payload injection
DOM clobbering Payloads targeting clobberable DOM properties
Clickjacking Missing/misconfigured X-Frame-Options and frame-ancestors
HSTS Missing or weak Strict-Transport-Security headers
SRI <script> and <link> tags missing integrity attributes
JSONP Callback parameter detection and exploitation
Mixed content HTTPS pages loading HTTP resources
Open redirect Parameter-based redirect detection
Vulnerable libraries Known CVEs in detected client-side JS libraries
Crawler Multi-threaded BFS, same-origin, captures hidden inputs
External JS Fetches and analyses <script src> files for DOM XSS
Bulk scanning -L / --url-list scans a whole target list in one shot

Authentication & discovery

# Form login — authenticate once, scan as the logged-in user
stingxss -u "https://target.com/app" \
  --login-url "https://target.com/login" \
  --login-user admin --login-pass secret

# OpenAPI / Swagger — import every endpoint and scan them all
stingxss -u "https://target.com/" --openapi https://target.com/openapi.json
stingxss -u "https://target.com/" --openapi /path/to/swagger.yaml --base-url https://target.com

# Browser crawl — headless Chromium discovers JS-rendered routes before scanning
# (discovery only — use --browser for XSS execution proof)
stingxss -u "https://target.com/" --browser-crawl --level 2

Install optional dependencies as needed:

pip install stingxss[browser]   # Chromium-based XSS execution + browser-crawl discovery

Browser engine

Headless Chromium pass that confirms JavaScript execution — not just reflection.

pip install stingxss[browser]
stingxss -u "https://target.com/#/search?q=test" --browser

Browser engine wiki


Python API

from stingxss import scan, ScanOptions

result = scan("https://target.com/search?q=test")
print(f"{result.total_findings} finding(s) in {result.duration_s:.1f}s")

Full API wiki


Fire Range

The StingXSS Fire Range is a deliberately vulnerable Flask app that ships with OctoRig (lab slot 8). It provides injectable endpoints that the scanner is verified against on every change.

# Start the Fire Range (OctoRig required)
./octorig.sh start 8

📜 License

Licensed under the AGPLv3. You are free to use, modify, and distribute this software. If you run it as a service or distribute it, the source must remain open.

For commercial licensing, contact the author.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

stingxss-0.1.5.tar.gz (110.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

stingxss-0.1.5-py3-none-any.whl (90.2 kB view details)

Uploaded Python 3

File details

Details for the file stingxss-0.1.5.tar.gz.

File metadata

  • Download URL: stingxss-0.1.5.tar.gz
  • Upload date:
  • Size: 110.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for stingxss-0.1.5.tar.gz
Algorithm Hash digest
SHA256 5fe87e9ee33b3c581fbc63497246b1130f3bf2a3eda4eaee7dbee8d54b058346
MD5 af99d85096d75f79cddf5ea8537a1acb
BLAKE2b-256 1a32c984d3edc3f8d31e8830b65a442c267d894ff5c484cdfeda0a4eee842950

See more details on using hashes here.

File details

Details for the file stingxss-0.1.5-py3-none-any.whl.

File metadata

  • Download URL: stingxss-0.1.5-py3-none-any.whl
  • Upload date:
  • Size: 90.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for stingxss-0.1.5-py3-none-any.whl
Algorithm Hash digest
SHA256 4d982f2957463ff49b7c508ef7017080ad789620ee8115a1498d186b8722a034
MD5 aa438131ee718855ac20abae80f5821c
BLAKE2b-256 26c3e04f24702e83a7603f383544dd4d493a7c3ed256d28acabb197592f47156

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page