Powerfull XSS Scanning and Parameter analysis tool&gem

Key features

  • Pattern matching based XSS scanning
  • Detect alert confirm prompt event on headless browser (with Selenium)
  • Testing request/response for XSS protection bypass and reflected params
    • Reflected Params
    • Filtered test event handler HTML tag Special Char Useful code
  • Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test…)
  • Dynamic/Static Analysis
    • Find SQL Error pattern
    • Analysis Security headers(CSP HSTS X-frame-optionsXSS-protection etc.. )
    • Analysis Other headers..(Server version, Content-Type, etc…)
  • Scanning from Raw file(Burp suite, ZAP Request)
  • XSpear running on ruby code(with Gem library)
  • Show table base cli-report and filtered ruletesting raw query(url)
  • Testing at selected parameters
  • Support output format cli json
    • cli: summary, filtered rule(params), Raw Query
  • Support Verbose level (quit / nomal / raw data)
  • Support custom callback code to any test various attack vectors


Install it yourself as:

$ gem install XSpear

Or install it yourself as (local file):

$ gem install XSpear-{version}.gem

Add this line to your application’s Gemfile:

gem 'XSpear'

And then execute:

$ bundle

Dependency gems

colorize selenium-webdriver terminal-table
If you configured it to install automatically in the Gem library, but it behaves abnormally, install it with the following command.

$ gem install colorize
$ gem install selenium-webdriver
$ gem install terminal-table

Usage on cli

Usage: xspear -u [target] -[options] [value]
[ e.g ]
$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'

[ Options ]
    -u, --url=target_URL             [required] Target Url
    -d, --data=POST Body             [optional] POST Method Body data
        --headers=HEADERS            [optional] Add HTTP Headers
        --cookie=COOKIE              [optional] Add Cookie
        --raw=FILENAME               [optional] Load raw file(e.g raw_sample.txt)
    -p, --param=PARAM                [optional] Test paramters
    -b, --BLIND=URL                  [optional] Add vector of Blind XSS
                                      + with XSS Hunter, ezXSS, HBXSS, etc...
                                      + e.g : -b https://hahwul.xss.ht
    -t, --threads=NUMBER             [optional] thread , default: 10
    -o, --output=FILENAME            [optional] Save JSON Result
    -v, --verbose=1~3                [optional] Show log depth
                                      + Default value: 2
                                      + v=1 : quite mode
                                      + v=2 : show scanning log
                                      + v=3 : show detail log(req/res)
    -h, --help                       Prints this help
        --version                    Show XSpear version
        --update                     Show how to update

Result types

  • (I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..)
  • (V)UNL: Vulnerable XSS, Checked alert/prompt/confirm with Selenium
  • (L)OW: Low level issue
  • (M)EDIUM: medium level issue
  • (H)IGH: high level issue

Case by Case

Scanning XSS

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"

json output(with silence mode)

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 1

detail log

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -v 3

set thread

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30

testing at selected parameters

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test


About the Author
Cyber Security ; News ; Research Hacking; Pentesting, Wireless, Exploits

Leave a Reply


2 × tres =

Bad Authentication data.