Skip to main content

Context-aware reflected & DOM XSS scanner with WAF detection and evasion

Project description

StingXSS

License Python Platform Version XSS Scanner

The context-aware XSS scanner — reflected, DOM, stored, blind, and browser-confirmed XSS with WAF evasion, CRLF injection, XST, and PoC generation. No Burp license. Just findings.

# Kali / Debian / Ubuntu — venv required on externally-managed Python
python3 -m venv .venv && source .venv/bin/activate
pip install stingxss
pip install stingxss[browser]  # + headless browser engine

Or from source:

git clone https://github.com/CommonHuman-Lab/stingxss.git
cd stingxss
python3 -m venv .venv && source .venv/bin/activate
pip install -e .

Point it at a target. Get findings. Drop it in a pipeline.


Why StingXSS

Most XSS scanners fire generic payloads and check for reflection. StingXSS goes further at every step:

Context first. Before injecting a single payload, StingXSS classifies exactly where the input lands — inside a <script> block, a double-quoted attribute, a template literal, an Angular expression, a CSS value. The payloads sent are chosen for that specific context, not sprayed blindly.

Smarter, not just more. Filter-probing runs automatically on every reflected parameter: one extra request maps which special characters the server encodes or strips, then only payloads that can actually work in that environment are tried. Fewer requests, higher signal.

Confirmed, not assumed. Reflection is a hint. Execution is a finding. The headless Chromium engine intercepts actual alert() and confirm() calls via Chrome DevTools Protocol — if the JavaScript didn't run, it's not reported as confirmed.

Finds what HTTP scanners miss. Single-page apps expose routes through hash fragments (#/search?q=). StingXSS discovers and tests those. Static DOM analysis (28 sources × 43 sinks) catches DOM XSS without a browser, in any CI environment.

From finding to PoC in one step. --poc generates ready-to-use exploitation payloads — cookie-stealers, localStorage exfil, stealth wrappers — for every confirmed finding.

Pipeline-native. JSON output, clean exit codes, a Python API. Drop it into a CI job, chain it with other tools, or call it from a script.


Quick start

stingxss -u "https://target.com/search?q=test"
stingxss -u "https://target.com/#/search?q=test" --browser
stingxss -u "https://target.com/" --crawl --level 2 -o results.json
stingxss -u "https://target.com/comment" --blind "https://xyz.oast.me"
stingxss -u "https://target.com/search?q=test" --poc

Run with no arguments for interactive wizard mode.

Full CLI reference


What it finds

Reflected, DOM, stored, blind, and browser-confirmed XSS — plus CRLF injection, XST, CORS misconfigurations, prototype pollution, DOM clobbering, clickjacking, HSTS, SRI, JSONP, open redirects, GraphQL and WebSocket injection, and vulnerable client-side libraries. WAF fingerprinting and evasion built in.

Full capabilities table


Documentation

Topic Description
CLI Flags All flags, grouped by function
Capabilities Every detection type with details
Smart Scanning Filter probing, scan levels, custom payloads
WAF Evasion Auto-detection, 12 transforms, manual override
Authentication Form login, HTTP auth, OpenAPI, browser crawl
Output & Reports PoC, HTML reports, SARIF, JSON, exit codes
Dorking Target discovery via DuckDuckGo / Bing / Yahoo
Browser Engine Headless Chromium, confirmed execution
Python API Integration and scripting
Fire Range Deliberately vulnerable test lab

Legal & Ethical Use

Only run StingXSS against applications you own or have explicit written authorization to test. Authorized use includes penetration testing engagements, bug bounty programs within defined scope, and CTF competitions.

The authors accept no liability for unauthorized or illegal use.


License

Licensed under the AGPLv3. You are free to use, modify, and distribute this software. If you run it as a service or distribute it, the source must remain open.

For commercial licensing, contact the author.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

stingxss-0.1.7.tar.gz (132.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

stingxss-0.1.7-py3-none-any.whl (108.0 kB view details)

Uploaded Python 3

File details

Details for the file stingxss-0.1.7.tar.gz.

File metadata

  • Download URL: stingxss-0.1.7.tar.gz
  • Upload date:
  • Size: 132.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for stingxss-0.1.7.tar.gz
Algorithm Hash digest
SHA256 854b0fca1162f54d2f67ee5969b02bacf5d14e4ef8454284706b296caabfe1ea
MD5 d55a6542bafad4524a78adc1d03cf849
BLAKE2b-256 89e790db5cc493974609acf411b6c0efa5eaca17d208feb561265f215f67a660

See more details on using hashes here.

File details

Details for the file stingxss-0.1.7-py3-none-any.whl.

File metadata

  • Download URL: stingxss-0.1.7-py3-none-any.whl
  • Upload date:
  • Size: 108.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for stingxss-0.1.7-py3-none-any.whl
Algorithm Hash digest
SHA256 4d727da70f09ab27609e384e3ec71ec0ea1f8ac91c29fdc5089e02984544124b
MD5 7b5b828c435983b0130855497fd3494f
BLAKE2b-256 7c78eeaa2834733480567267e61dfc857a552370afffd7588fc318124cd14e1d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page