Hacker tools: XSStrike – Hunting for low-hanging fruits.

By Anna Hammond

June 29, 2021

Hacker tools: XSStrike – Hunting for low-hanging fruits.

Welcome to our wonderful “Hacker tools” series. If you have mastered all our previous articles, you must have submitted a valid report by now. If not, check out this week’s tool. XSStrike is a Cross-Site Scripting detection framework written by s0md3v. Yes, you are correct, the same developer of Arjun.

XSStrike is written in Python3 and is a fast framework for detecting Cross-site scripting vulnerabilities. The framework has multiple handwritten parsers, has its own intelligent payload generator, can fuzz parameters, and has an incredible fast crawler. The thing that makes XSStrike stand out is the fact that it analyzes the responses with its own written parsers and generates a custom payload.

XSStrike is available on the Github page of s0md3v at, go check it out.

The installation

XSStrike is another Python-based tool, and in order to run, we need Python version 3.4 or above. Important note: if you install dependencies, make sure to use pip3.

I assume you already have pip3 and Python3 installed so let’s copy the repository to our local system.

git clone
pip3 install -r requirements.txt

That’s all you need to do. Now run the tool to check if it is installed correctly. And have some fun exploring the options.

python3 -h

The Basics

Like previous articles, we will start with the basics to see what the tool can do and how to use it properly.

Single URL testing:

There is a possibility to test single URLs with the (-u) flag. This will first test for DOM-based XSS and then for Reflected XSS. If you want to skip DOM testing use the (–skip-dom) flag.

python3 -u "http://<URL>/faq.php?lang=q"
python3 -u "http://<URL>/faq.php?lang=q" –skip-dom

Keep note that it’s possible you have to test multiple payloads in order to execute your XSS.

POST requests:

The same is possible for POST requests. Here we need to provide the (–data) flag with the presented data in order to test. This can also be done with JSON data.

./ -u "http://<URL>/faq.php?lang=q" --data "search=q"
./ -u "http://<URL>/faq.php" --data '{"search":"q"}' --json

PATH based:

Sometimes its possible to inject XSS in PATHS, in this case we use the (–path) flag.

./ -u "http://<URL>/ --path

Crawling a domain:

A nice feature of XSStrike is that it has the ability to crawl (–crawl) a given site and you can specify the crawling depth (-l).

./ -u "http://<URL>/" --crawl
./ -u "http://<URL>/" --crawl -l 3

Using custom payloads:

There are large lists out there with all sorts of payloads. You can use a custom payload list by providing the (-f) flag.

./ -u "http://<URL>/faq.php?lang=q" -f payloads.txt

Advanced features

Now that we know how XXStrike works we can tweak a couple of settings. Every tool that is used for bug bounty hunting should need an option to set a delay. This is an important feature to comply with the program details.

Setting delays:

The delay is set in seconds, and can be set with the (-d) or (–delay) flag.

./ -u "http://<URL>/faq.php?lang=q" -d 1

Threads and Timeouts:

When checking lots of endpoints there is an option to set threads (-t) and a timeout (–timeout). Be careful to set a high number of threads, as this will increase your request count to the targets. The default thread count is 2 and the default Timeout is set to 7 seconds.

./ -u "http://<URL>/faq.php?lang=q" -t 5 –timeout 3


When testing on an authenticated endpoint we need the ability to insert auth-headers. Setting XSStrike with the (–headers) flag will open up a nano prompt where you can paste your headers. After you paste your headers and have saved them, XSStrike will start running. There is also the possibility to do this directly on the command line.

./ -u "http://<URL>/faq.php?lang=q" –headers
./ -u "http://<URL>/faq.php?lang=q" –headers "Cookie: null"

Blind XSS:

There is also an option to paste your blind XSS payloads in every form the crawler can find. This can be configured in the config file located at core/ Find the blind payload section and add them to the config file.

./ -u "http://<URL>/faq.php?lang=q" –crawl –blind

Payload encoding:

As the last item we will discuss, XSStrike can encode the payloads it generates in base64 on demand.

./ -u "http://<URL>/faq.php?lang=q" –e base64


XSStrike is another nice tool developed by s0md3v and can prove useful in hunting for XSS. The payloads generated by the engine not always work on the first try, but it gives lots of possibilities to try. It’s an extremely fast tool so be careful about running it on a large site. Always read the program details and set a delay. For more information on this tool and all its features check out the usage page on Github: I hope you enjoyed reading this article, and see you next time.

You may also like