finds.dev← search

// the find

s0md3v/XSStrike

★ 15,060 · Python · GPL-3.0 · updated Apr 2025

Most advanced XSS scanner.

XSStrike is a command-line XSS detection tool that goes beyond dumb payload injection by parsing HTML/JS context and generating payloads tailored to the reflection point. It handles reflected and DOM XSS, crawls target sites, detects WAFs, and can brute-force from a payload list. Primarily useful for pentesters doing manual web app assessments.

Context-aware payload generation is the real differentiator — it analyzes where input lands in the response before picking a payload, so it doesn't just throw `<script>alert(1)</script>` at everything. The hand-rolled HTML and JS parsers mean it can handle edge cases that regex-based tools miss. WAF detection with evasion techniques (case mangling, URL encoding variants) is built in and sourced from sqlmap signatures, which is a solid starting point. Blind XSS support with out-of-band callback is useful for inputs that don't reflect immediately.

The codebase hasn't had a meaningful commit in years — the last real activity is from 2018-2019 and the April 2025 push is cosmetic. Modern WAFs and CSP-heavy apps will chew through its evasion techniques without breaking a sweat. The `--break-system-packages` in the install instructions is a red flag about Python dependency hygiene; fuzzywuzzy gets its own FAQ entry because the install regularly breaks. No API or library interface — it's a CLI-only tool, which makes integrating it into automated pipelines awkward.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →