loading
loading
Scanners
Find reflected XSS during recon by checking payload reflection.
overview
airixss reads parameter-bearing URLs from stdin, injects your payload into each one, and checks whether the reflection comes back in the response unfiltered. It prints every URL as Vulnerable or Not Vulnerable, so a long list of candidate URLs collapses into a short set worth manual confirmation.
It is built for the recon phase rather than deep exploitation. Concurrency is tunable with -c so it keeps pace with large URL sets, --only-poc trims output to the URLs that look vulnerable, and --proxy routes traffic through an interception tool for logging or replay. Custom --headers let it reach endpoints that need auth or specific request shaping.
On Trickest, airixss is a Scanners node that reads a file of target URLs and writes a file and a folder of results. Feed it parameter URLs from a crawler or archive collector like gau or waybackurls, then hand its hits to a dedicated XSS tool or manual review for confirmation.
use cases
Run airixss over crawler or archive output to flag the URLs where an injected payload reflects unfiltered, narrowing a huge list to a few candidates worth a closer look.
Enable --only-poc so the run reports only the potentially vulnerable URLs and drops the Not Vulnerable noise before a human or a deeper tool takes over.
Chain gau or waybackurls into gf xss and qsreplace, then pipe the parameter URLs into airixss so reflection triage runs as one automated stage in an attack-surface workflow.
Send traffic through --proxy to log every request and response, so reflected hits can be replayed and confirmed in an interception tool like Burp or ZAP.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| targets | FILE | · | File of target URLs to test for reflected XSS (read from stdin on the CLI). |
| payload | STRING | -payload | Reflection flag string to inject and match in each response, e.g. "><svg onload=confirm(1)>. |
| only-poc | BOOLEAN | --only-poc | Show only potentially vulnerable URLs and drop the Not Vulnerable lines. |
| concurrency | STRING | -c | Set the number of concurrent workers (default 50). |
| headers | STRING | --headers | Custom request headers, for auth or specific request shaping. |
| proxy | STRING | --proxy | Send traffic through a proxy for logging, inspection, or replay. |
Showing key inputs. airixss exposes 6 inputs in total.
example
# triage parameter URLs for reflected XSS with 40 concurrent workerscat urls.txt | airixss -payload '"><svg onload=confirm(1)>' -c 40Vulnerable - https://example.com/search?q="><svg onload=confirm(1)>Not Vulnerable - https://example.com/about?ref=navNot Vulnerable - https://example.com/catalog?id=42Vulnerable - https://example.com/redirect?next="><svg onload=confirm(1)>Not Vulnerable - https://example.com/blog?page=7Not Vulnerable - https://example.com/filter?sort=ascVulnerable - https://app.example.com/preview?tpl="><svg onload=confirm(1)>guidance
Use airixss as a fast first pass for reflected XSS over a large set of parameter-bearing URLs during recon. It flags reflection, it does not confirm exploitability, so pass its hits to a dedicated XSS tool or manual review.
Full-featured XSS scanner with parameter analysis and verification. Heavier, more thorough than a reflection check.
Reports which characters reflect unfiltered per parameter. Pairs well as a precursor to airixss.
Focuses on DOM-based XSS. Use it to cover the cases airixss reflection checks miss.
faq
related
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
The Swiss Army knife for automated Web Application Testing.
A list of parameter URLs feeds airixss, which checks each for reflected payloads and writes the likely-vulnerable hits as a queryable output.
Facts on this page come from the live Trickest tool library.