XSSPY | Web Application XSS Scanner

XSSPY | Web Application XSS Scanner


XssPy is a python tool for finding Cross Site Scripting vulnerabilities in websites. This tool is the first of its kind. Instead of just checking one page as most of the tools do, this tool traverses the website and find all the links and subdomains first. After that, it starts scanning each and every input on each and every page that it found while its traversal. It uses small yet effective payloads to search for XSS vulnerabilities.

The tool has been tested parallel with paid Vulnerability Scanners and most of the scanners failed to detect the vulnerabilities that the tool was able to find. Moreover, most paid tools scan only one site whereas XSSPY first finds a lot of subdomains and then scan all the links altogether. The tool comes with:

  • Short Scanning
  • Comprehensive Scanning
  • Finding subdomains
  • Checking every input on every page

With this tool, Cross Site Scripting vulnerabilities have been found in the websites of MIT, Stanford, Duke University, Informatica, Formassembly, ActiveCompaign, Volcanicpixels, Oxford, Motorola, Berkeley and many more.

How to Use:

  • Go to the directory where you have xsspy.py
  • Type python xsspy.py website.com (Type the website name without “www”)
  • The scanner will start scanning and will output many urls which it is testing at the moment.
  • If it outputs “Xss found and the link is .. “, then you have found a XSS vulnerability. Otherwise, it is just checking the links one by one.


  • After you have found the vulnerability. You can try the following payloads to exploit it and have an alert box. You can then report it and get rewards. (http://pastebin.com/J1hCfL9J)



Note: If you face any problem, comment below.



Add yours
  1. 1

    practically after scanning 26 websites i didn’t find any vulnerability! can you provide any website name or anything that has this vulnerability to check on for educational purposes. i want to know if i didn’t have done anything wrong

  2. 3
    Daud Akhtar


    Do you know how to resolve the following error when trying to run your script.
    Traceback (most recent call last):
    File “XssPy.py”, line 1, in
    import mechanize
    ImportError: No module named mechanize

  3. 6

    When I find an xss vulnerability, how do I insert that into website? I replaced payload with that in pastebin, but when I opened the url, no alert was displayed?

  4. 9

    I’ve been browsing on-line over 3 hours recently, yet I never discovered any interesting article
    like yours. It’s lovely price sufficient to me. In my view, if
    all web owners and bloggers made good written content as you did, the net could possibly be far more helpful than ever before.

  5. 13
    Ben Lights

    When I tried it on a website I develop it says “Number of links to test are 0” and “No links found” and then exits. Is there any way to give it auth access?

  6. 15
    Haroon Awan

    Very nice faizan, I have some suggestions and request please do look into them,

    1. Proxy method
    2. Can you please these href, link, javascript, vbscript, iframes and object variables counting in a website
    3. GET/POST tuner for links
    4. Wildcards for validation input identifying
    5, Buffer overflow test example A x 100 (crashing purposes), HTTP Smuggling
    6. Identify hidden fields, a href tags, link tags, image tags, etc (For dangers in the source coding)
    7. Converter option for Hex converters

    This will be killer tool, if you implement these in it. I don’t think anyone could beat the quality of this tool then as now. Since that’s method I use to break into websites or systems I hope you will consider my request.

  7. 17

    Hi faizan! thanks for the awesome tool!
    why you try with only some payloads?
    is not better a list of payloads reading of an external payloads file?

    thanks for your reply!

+ Leave a Comment