#News
- [07/2026] XSSer v1.9: "Bl4ck Swarm!" has been released!.
#Introduction
Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It provides several options to try to bypass certain filters and various special techniques for code injection.
Widely regarded as one of the most complete and influential XSS frameworks ever released — used, shipped, taught and cited across the security world since 2010.
- [ > 1500 ] pre-installed XSS attacking vectors (automatic fuzzing).
- Targeting: URL, file, stdin/pipe, raw HTTP request (
-r), 'dorking' (multiple engines) and crawler. - Injection: GET/POST, Cookie/User-Agent/Referer, DOM and HTTP Response Splitting.
- Evasion: per-WAF bypassers + character-encoding bypassers; proxy/Tor; client-certificate auth.
- Validation: each finding is verified for real executability — a context-aware engine tells apart executable contexts (HTML, JS, event handlers,
javascript:/data:URIs) from harmless reflections, with an optional headless-browser reverse connection to confirm findings and cut false positives. - Reporting: PDF (professional), XML and JSON (for CI / pipelines).
XSSer can bypass-exploit code on several WAFs:
[Akamai] Akamai (Kona / App & API Protector)
[AWS] AWS WAF
[Azure] Azure Front Door WAF
[Imperva] Imperva (Incapsula / Cloud WAF)
[F5] F5 BIG-IP ASM / Advanced WAF
[Barracuda] Barracuda WAF
[ModSec] Mod-Security + OWASP CRS v3
[Wordfence] Wordfence (WordPress)
[Sucuri] Sucuri (CloudProxy)
[FortiWeb] Fortinet FortiWeb
[WebKnight] AQTRONIX WebKnight
#Download
Latest stable: XSSer v1.9 "Bl4ck Swarm!"
$ wget https://xsser.03c8.net/xsser/xsser-1.9.tar.gz
$ tar xf xsser-1.9.tar.gz
$ cd xsser-1.9
$ sudo python3 setup.py install
$ xsser -h
$ xsser --gtk # for the GUI
#Captures
Click any capture to open it full-size.
#Documentation
Talks & papers
- 2012 at RootedCon — Slides: "XSSer - The Cross Site Scripting framework": Spanish — Video: Spanish
- 2011 at THSF'11 — Slides: "XSSer - The Mosquito": English
- 2009 at Cyberspace — Paper: "XSS for fun and profit": English | Spanish
References & recognition
Running strong since 2010, XSSer is one of the most widely-used and recognised open-source XSS frameworks in the world — shipped by default in the leading security distributions, featured in books and the security press, cited across academic research and taught in hundreds of tutorials.
Security distributions
- Official tool in Kali Linux, and shipped with Parrot Security OS, BlackArch, BackTrack, Pentoo, Cyborg and Fedora Security Lab.
Books & press
- Featured in the book “Web Penetration Testing with Kali Linux” (Packt / O'Reilly).
- Covered by Darknet, GBHackers, BriskInfoSec and Geekflare.
Academic research
- Studied in peer-reviewed research — e.g. “Exploring the Identification of XSS Attacks Using Xsser Tool”, “XSSer: hybrid deep learning for enhanced cross-site scripting detection” and “Cross-site Scripting Research: A Review” — plus hundreds more on Google Scholar.
Community & awards
- Funded/awarded project of the NLnet Foundation; referenced by OWASP; hundreds of tutorials & demos on YouTube.
#Installation
XSSer runs on many platforms. It requires Python (3.x) and the following libraries:
python3-pycurl— Python bindings to libcurl (Python 3)python3-bs4— error-tolerant HTML parser for Python 3python3-geoip— Python3 bindings for the GeoIP IP-to-country resolverpython3-gi— Python 3 bindings for gobject-introspectionpython3-selenium— Python3 bindings for Seleniumfirefoxdriver— Firefox WebDriver supportddgs— DuckDuckGo search library (used by the 'dorking' engine)fpdf2— PDF generation library (used by the '--pdf' report exporter)
Install everything automatically (as root):
$ sudo python3 setup.py install
On Debian-based systems (ex: Ubuntu) you can also install the package directly:
$ sudo apt install ./xsser_1.9_all.deb
Or install the libraries manually:
$ sudo apt-get install python3-pycurl python3-bs4 python3-geoip python3-gi python3-selenium firefoxdriver python3-fpdf2
$ sudo pip3 install pycurl bs4 pygeoip PyGObject selenium ddgs fpdf2
#Source Code
XSSer can be cloned from different code repositories.
Official
https://code.03c8.net/epsylon/xsser
$ git clone https://code.03c8.net/epsylon/xsser
Mirror (GitHub)
https://github.com/epsylon/xsser
$ git clone https://github.com/epsylon/xsser
Mirror (SourceForge)
https://sourceforge.net/p/xsser/code/
$ git clone https://git.code.sf.net/p/xsser/code xsser
#Packages
XSSer v1.9: "Bl4ck Swarm!" latest
- Download: .zip · .tar.gz
- Torrents: .tar.gz.torrent · .zip.torrent
- Ubuntu/Debian (all) package: xsser_1.9_all.deb
$ wget https://xsser.03c8.net/xsser/xsser_1.9_all.deb
$ sudo apt install ./xsser_1.9_all.deb
$ xsser --gtk # for the GUI
XSSer v1.8.3: "The HiV€!"
- Download: .zip · .tar.gz · package: xsser_1.8.3_all.deb
XSSer v1.7.2b: "ZiKA-47 Swarm!"
- Download: .tar.gz · package: xsser_1.7-1_amd64.deb
#License
XSSer is released under the General Public License v3 and is copyrighted by psy.
#Support
- Bitcoin (BTC):
19aXfJtoYJUoXEZtjNwsah2JKN9CK5Pcjw - Ecoin (ECO):
ETsRCBzaMawx3isvb5svX7tAukLdUFHKze
This framework is actively looking for new sponsors and funding. If you or your organization has an interest in keeping XSSer alive, please contact directly.
Shop: thehackerstyle.com/store







