loading
loading
Vulnerabilities
XSS scanner built on Ruby gems.
overview
xspear tests web parameters for cross-site scripting. Point it at a URL with --url, tell it which parameters to test with --param, and it analyzes how each one is reflected, then fires payloads to confirm where script injection executes.
It covers awkward cases. Blind XSS is supported through -b so injections that only execute later in an admin panel or log viewer still report back. Load custom payloads with --custom-payload, drive POST bodies and cookies, raise --verbose to inspect requests and responses, and choose cli, json, or html via --output.
In a Trickest workflow xspear takes a URL and writes a file and a folder of results. Run it after discovery has produced live URLs with parameters, then route confirmed findings into triage alongside the rest of your scan output.
source github.com/hahwul/XSpear
use cases
Point xspear at a URL and its parameters so it analyzes reflection and confirms which inputs let injected script execute.
Supply a blind XSS vector with -b so injections that only fire later, in an admin view or log, still report back through your callback host.
Load a custom payload JSON file with --custom-payload to test the specific vectors a target's filtering requires, beyond the built-in set.
Choose --output so confirmed findings flow into an automated pipeline as JSON or land as a readable HTML report.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-url | STRING | --url | Target URL to scan for XSS. |
| param | STRING | --param | Parameters to test. |
| post-data | STRING | --data | POST method body data. |
| cookie | STRING | --cookie | Cookie to add to requests. |
| blind-vector | STRING | -b | Blind XSS vector for XSS Hunter, ezXSS, HBXSS, etc. |
| custom-payload-json-file | FILE | --custom-payload | Load a custom payload JSON file. |
| output-format | STRING | --output | Output format: cli, json, html. |
| threads | STRING | --threads | Number of threads (default 10). |
Showing key inputs. xspear exposes 15 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| param | STRING | --param | Test paramters |
| cookie | STRING | --cookie | Add Cookie |
| no-xss | BOOLEAN | --no-xss | Don't test XSS, only parameters analysis |
| headers | STRING | --headers | Add HTTP Headers |
| raw-ssl | BOOLEAN | --raw-ssl | http/https switch for burp raw file |
| threads | STRING | --threads | Threads , default: 10 |
| post-data | STRING | --data | POST Method Body data |
| target-url | STRING | --url | Target Url |
| config-file | FILE | --config | Use config file |
| blind-vector | STRING | -b | Add vector of Blind XSS. With XSS Hunter, ezXSS, HBXSS... e.g: https://hahwul.xss.ht |
| burp-raw-file | FILE | --raw | Load raw file(e.g raw_sample.txt) |
| output-format | STRING | --output | Output format (cli , json, html) |
| verbose-level | STRING | --verbose | Show log depth. 0: quite mode(only result) 1: show scanning status(default) 2: show scanning logs 3: show detail log(req/res) |
| test-all-params | BOOLEAN | --test-all-params | Test to all params(include not reflected) |
| custom-payload-json-file | FILE | --custom-payload | Load custom payload json file |
example
# xspear: reflected XSS test on query params, JSON outputxspear --url 'https://app.example.com/search?q=test&lang=en' --param q,lang --threads 10 --output json[*] Target: https://app.example.com/search?q=test&lang=en[+] Reflected: q on https://app.example.com/search[+] Reflected: lang on https://app.example.com/search[!] XSS confirmed: q -> https://app.example.com/search?q=<payload>[!] XSS confirmed: lang -> https://app.example.com/search?lang=<payload>[*] Blind vector armed for callback on admin.example.com[*] 2 confirmed XSS / 2 reflected params[*] Results written for app.example.comguidance
Use XSpear when you want focused XSS testing on known parameters, including blind XSS. For hidden parameter discovery first, run x8; for broad multi-class scanning, run nuclei alongside it.
Fast Go XSS scanner. Similar focus; choose by payload handling and report format you prefer.
Template scanner across many vulnerability classes. Broader, but not XSS-specialized like XSpear.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A URL feeds XSpear, which analyzes its parameters and fires payloads to confirm cross-site scripting, writing the verified findings as a queryable output.
Facts on this page come from the live Trickest tool library.