loading
loading
Vulnerabilities
Find unfiltered special characters reflected from URLs.
overview
kxss takes a list of URLs with parameters and reports which special characters reflect back unfiltered in the response. Characters such as double quotes, angle brackets, and parentheses are the raw material of an XSS payload, so a parameter that echoes them without escaping is the first concrete signal that the spot is worth testing for cross-site scripting.
It is a triage tool, not an exploit engine. Rather than firing payloads at every endpoint, it appends a marker plus each test character to a parameter, requests the URL, and checks which characters survive intact. That lets you scan a large URL set fast and spend manual effort only where a real reflection exists.
In a Trickest workflow it accepts a URL list and writes a file and a folder of reflecting URLs. Feed it parameterized URLs from gau, a crawler, or qsreplace, then route the results into a dedicated XSS scanner such as dalfox for confirmation.
source github.com/Emoe/kxss
use cases
Scan a large list of parameterized URLs and keep only the ones that reflect special characters unfiltered, so testing focuses on real candidates.
Run kxss first so a slower payload-based scanner like dalfox only sees parameters that already reflect dangerous characters.
Collect every parameterized URL on a target, then use kxss to map which parameters echo unescaped characters worth a closer look.
Pass a small URL list to confirm whether a specific parameter reflects quotes or brackets before writing a manual proof of concept.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url-list | FILE | · | List of URLs to check for reflected, unfiltered special characters. |
Showing key inputs. kxss exposes 1 inputs in total.
example
# check a list of parameterized URLs for reflected special characterscat urls.txt | kxssURL: https://example.com/search?q=aaa Unfiltered: [" ' < >]URL: https://example.com/product?id=1 Unfiltered: [< > ']URL: https://app.example.com/page?ref=aaa Unfiltered: [" < > ( )]URL: https://example.com/redirect?url=aaa Unfiltered: [" ']URL: https://example.com/filter?category=aaa Unfiltered: [< >]URL: https://staging.example.com/view?name=aaa Unfiltered: [" ' < > ( ) ;]URL: https://example.com/note?msg=aaa Unfiltered: [" ' < > { }]guidance
Use kxss to triage parameterized URLs for reflected characters before committing to full XSS testing. It flags candidates, it does not confirm exploitability, so pass its output to a payload-based scanner like dalfox. Feed it URLs from gau or a crawler.
Full XSS scanner that crafts and verifies payloads. kxss triages first; dalfox confirms the reflections it flags.
Hunts DOM-based XSS sinks in client code. Complements kxss, which catches reflected ones.
Parameter XSS scanner with analysis output. A heavier alternative for confirming what kxss surfaces.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A target feeds gau, which collects parameterized URLs, then kxss flags the ones that reflect special characters and writes them as a queryable output.
Facts on this page come from the live Trickest tool library.