Xspear is a powerful XSS scanning and parameter analysis tool on ruby gems, capable of both static and dynamic XSS vulnerability analysis. Therefore, it has the ability to scan, detect and analyze potential XSS vulnerabilities on web applications.

Key features

  • Pattern matching based XSS scanning
  • Detect alert confirm prompt event on headless browser (with Selenium)
  • Testing request/response for XSS protection bypass and reflected(or all) params
    • Reflected Params
    • All params(for blind xss, anytings)
    • Filtered test event handler HTML tag Special Char Useful code
    • Testing custom payload for only you!
  • Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test…)
  • Dynamic/Static Analysis
    • Find SQL Error pattern
    • Analysis Security headers(CSP HSTS X-frame-options, XSS-protection etc.. )
    • Analysis Other headers..(Server version, Content-Type, etc…)
    • XSS Testing to URI Path
    • Testing Only Parameter Analysis (aka no-XSS mode)
  • Scanning from Raw file(Burp suite, ZAP Request)
  • XSpear running on ruby code(with Gem library)
  • Show table base cli-report and filtered rule, testing raw query(url)
  • Testing at selected parameters
  • Support output format cli json html
    • cli
    • json
    • html
  • Support Verbose level (0~3)
    • 0: quite mode(only result)
    • 1: show scanning status(default)
    • 2: show scanning logs
    • 3: show detail log(req/res)
  • Support custom callback code to any test various attack vectors
  • Support Config file

latest ):

$ gem install XSpear-{version}.gem

Add this line to your application’s Gemfile:

gem 'XSpear'

And then execute:

$ bundle


@method = method
      @query = query
      @response = response
      # self.run
    def run
      # override

Common Callback Class

  • CallbackXSSSelenium
  • CallbackErrorPatternMatch
  • CallbackCheckHeaders
  • CallbackStringMatch
  • CallbackNotAdded
  • etc…



https://github.com/hahwul/XSpear. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

code of conduct.

< CLI-Report 1 >

< CLI-Report 2 >

< JSON Report >

< HTML Report >



More at: https://github.com/hahwul/XSpear