Context-aware reflected & DOM XSS scanner with WAF detection and evasion
Project description
StingXSS
The context-aware XSS scanner — reflected, DOM, stored, blind, and browser-confirmed XSS with WAF evasion, CRLF injection, XST, and PoC generation. No Burp license. Just findings.
# Kali / Debian / Ubuntu — venv required on externally-managed Python
python3 -m venv .venv && source .venv/bin/activate
pip install stingxss
pip install stingxss[browser] # + headless browser engine
Or from source:
git clone https://github.com/CommonHuman-Lab/stingxss.git
cd stingxss
python3 -m venv .venv && source .venv/bin/activate
pip install -e .
Point it at a target. Get findings. Drop it in a pipeline.
Why StingXSS
Most XSS scanners fire generic payloads and check for reflection. StingXSS goes further at every step:
Context first. Before injecting a single payload, StingXSS classifies exactly where the input lands — inside a <script> block, a double-quoted attribute, a template literal, an Angular expression, a CSS value. The payloads sent are chosen for that specific context, not sprayed blindly.
Smarter, not just more. Filter-probing runs automatically on every reflected parameter: one extra request maps which special characters the server encodes or strips, then only payloads that can actually work in that environment are tried. Fewer requests, higher signal.
Confirmed, not assumed. Reflection is a hint. Execution is a finding. The headless Chromium engine intercepts actual alert() and confirm() calls via Chrome DevTools Protocol — if the JavaScript didn't run, it's not reported as confirmed.
Finds what HTTP scanners miss. Single-page apps expose routes through hash fragments (#/search?q=). StingXSS discovers and tests those. Static DOM analysis (28 sources × 43 sinks) catches DOM XSS without a browser, in any CI environment.
From finding to PoC in one step. --poc generates ready-to-use exploitation payloads — cookie-stealers, localStorage exfil, stealth wrappers — for every confirmed finding.
Pipeline-native. JSON output, clean exit codes, a Python API. Drop it into a CI job, chain it with other tools, or call it from a script.
Quick start
stingxss -u "https://target.com/search?q=test"
stingxss -u "https://target.com/#/search?q=test" --browser
stingxss -u "https://target.com/" --crawl --level 2 -o results.json
stingxss -u "https://target.com/search?q=test" --json | jq .
stingxss -u "https://target.com/search?q=test" --text report.txt
stingxss -u "https://target.com/comment" --blind "https://xyz.oast.me"
stingxss -u "https://target.com/search?q=test" --poc
Run with no arguments for interactive wizard mode.
What it finds
Reflected, DOM, stored, blind, and browser-confirmed XSS — plus CRLF injection, XST, CORS misconfigurations, prototype pollution, DOM clobbering, clickjacking, HSTS, SRI, JSONP, open redirects, GraphQL and WebSocket injection, and vulnerable client-side libraries. WAF fingerprinting and evasion built in.
Documentation
| Topic | Description |
|---|---|
| CLI Flags | All flags, grouped by function |
| Capabilities | Every detection type with details |
| Smart Scanning | Filter probing, scan levels, custom payloads |
| WAF Evasion | Auto-detection, 12 transforms, manual override |
| Authentication | Form login, HTTP auth, OpenAPI, browser crawl |
| Output & Reports | PoC, HTML reports, SARIF, JSON, exit codes |
| Dorking | Target discovery via DuckDuckGo / Bing / Yahoo |
| Browser Engine | Headless Chromium, confirmed execution |
| Python API | Integration and scripting |
| Fire Range | Deliberately vulnerable test lab |
Legal & Ethical Use
Only run StingXSS against applications you own or have explicit written authorization to test. Authorized use includes penetration testing engagements, bug bounty programs within defined scope, and CTF competitions.
The authors accept no liability for unauthorized or illegal use.
License
Licensed under the AGPLv3. You are free to use, modify, and distribute this software. If you run it as a service or distribute it, the source must remain open.
For commercial licensing, contact the author.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file stingxss-0.1.9.tar.gz.
File metadata
- Download URL: stingxss-0.1.9.tar.gz
- Upload date:
- Size: 566.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8f5466913dfabdf42dd9706112f22a3500d1b57456a205e05feed19954632bc0
|
|
| MD5 |
426293f37c62293e696f58f69dbb7a16
|
|
| BLAKE2b-256 |
bdf3019fcda9b9acd63784dcfdcc83abcc6813056d0ebd244be6896d92e60b22
|
File details
Details for the file stingxss-0.1.9-py3-none-any.whl.
File metadata
- Download URL: stingxss-0.1.9-py3-none-any.whl
- Upload date:
- Size: 115.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f46419acf8683cd1e039f9310a22b8242308a5211e41e85c4ca8e61e5cd1b753
|
|
| MD5 |
e9811778af505e1e2cd7f9e482a136df
|
|
| BLAKE2b-256 |
f2d315362a3fc27c440e906d447374da543710e324c4418f1fd998ae38f3f778
|