Skip to main content

Context-aware reflected & DOM XSS scanner with WAF detection and evasion

Project description

StingXSS

StingXSS

License Python XSS Scanner

The context-aware XSS scanner — reflected, DOM, stored, blind, and browser-confirmed XSS with WAF evasion, CRLF injection, XST, and PoC generation. No Burp license. Just findings.

# Kali / Debian / Ubuntu — venv required on externally-managed Python
python3 -m venv .venv && source .venv/bin/activate
pip install stingxss
pip install stingxss[browser]  # + headless browser engine

Or from source:

git clone https://github.com/CommonHuman-Lab/stingxss.git
cd stingxss
python3 -m venv .venv && source .venv/bin/activate
pip install -e .

Point it at a target. Get findings. Drop it in a pipeline.


Why StingXSS

Most XSS scanners fire generic payloads and check for reflection. StingXSS goes further at every step:

Context first. Before injecting a single payload, StingXSS classifies exactly where the input lands — inside a <script> block, a double-quoted attribute, a template literal, an Angular expression, a CSS value. The payloads sent are chosen for that specific context, not sprayed blindly.

Smarter, not just more. Filter-probing runs automatically on every reflected parameter: one extra request maps which special characters the server encodes or strips, then only payloads that can actually work in that environment are tried. Fewer requests, higher signal.

Confirmed, not assumed. Reflection is a hint. Execution is a finding. The headless Chromium engine intercepts actual alert() and confirm() calls via Chrome DevTools Protocol — if the JavaScript didn't run, it's not reported as confirmed.

Finds what HTTP scanners miss. Single-page apps expose routes through hash fragments (#/search?q=). StingXSS discovers and tests those. Static DOM analysis (28 sources × 43 sinks) catches DOM XSS without a browser, in any CI environment.

From finding to PoC in one step. --poc generates ready-to-use exploitation payloads — cookie-stealers, localStorage exfil, stealth wrappers — for every confirmed finding.

Pipeline-native. JSON output, clean exit codes, a Python API. Drop it into a CI job, chain it with other tools, or call it from a script.


Quick start

stingxss -u "https://target.com/search?q=test"
stingxss -u "https://target.com/#/search?q=test" --browser
stingxss -u "https://target.com/" --crawl --level 2 -o results.json
stingxss -u "https://target.com/comment" --blind "https://xyz.oast.me"
stingxss -u "https://target.com/search?q=test" --poc

Run with no arguments for interactive wizard mode.

Full CLI reference


What it finds

Reflected, DOM, stored, blind, and browser-confirmed XSS — plus CRLF injection, XST, CORS misconfigurations, prototype pollution, DOM clobbering, clickjacking, HSTS, SRI, JSONP, open redirects, GraphQL and WebSocket injection, and vulnerable client-side libraries. WAF fingerprinting and evasion built in.

Full capabilities table


Documentation

Topic Description
CLI Flags All flags, grouped by function
Capabilities Every detection type with details
Smart Scanning Filter probing, scan levels, custom payloads
WAF Evasion Auto-detection, 12 transforms, manual override
Authentication Form login, HTTP auth, OpenAPI, browser crawl
Output & Reports PoC, HTML reports, SARIF, JSON, exit codes
Dorking Target discovery via DuckDuckGo / Bing / Yahoo
Browser Engine Headless Chromium, confirmed execution
Python API Integration and scripting
Fire Range Deliberately vulnerable test lab

Legal & Ethical Use

Only run StingXSS against applications you own or have explicit written authorization to test. Authorized use includes penetration testing engagements, bug bounty programs within defined scope, and CTF competitions.

The authors accept no liability for unauthorized or illegal use.


License

Licensed under the AGPLv3. You are free to use, modify, and distribute this software. If you run it as a service or distribute it, the source must remain open.

For commercial licensing, contact the author.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

stingxss-0.1.8.tar.gz (561.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

stingxss-0.1.8-py3-none-any.whl (108.8 kB view details)

Uploaded Python 3

File details

Details for the file stingxss-0.1.8.tar.gz.

File metadata

  • Download URL: stingxss-0.1.8.tar.gz
  • Upload date:
  • Size: 561.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for stingxss-0.1.8.tar.gz
Algorithm Hash digest
SHA256 955202305aa3af09558b45eaa5221895a00f1756581258cc5bacc1c73dda3d10
MD5 a9162654bfb5db4757b58a1d2d9788b1
BLAKE2b-256 d7b83ec46e10a3eb5db87d891dfc7b13db411e802eab972077230e8c5d01ea32

See more details on using hashes here.

File details

Details for the file stingxss-0.1.8-py3-none-any.whl.

File metadata

  • Download URL: stingxss-0.1.8-py3-none-any.whl
  • Upload date:
  • Size: 108.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for stingxss-0.1.8-py3-none-any.whl
Algorithm Hash digest
SHA256 d66a4d584527dc2b87ae678f502b74a999d93f2fdca38b86094650282609add4
MD5 fa2c6ec631385ab70c20c5198d4b4024
BLAKE2b-256 50e083cce99d2cd5d6ba4803ceb09db367bbbebd14bcf1ecac3324882dcaca75

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page