FAQ

Frequently Asked Questions

Why XSStrike boasts that it is the most advanced XSS detection suite?

Because it is.

I like the project, what enhancements and features I can expect in future?

To see what is being worked on, check the development board of XSStrike. XSStrike will get the following updates in near future:

• Dynamic JS parsing for better DOM XSS scanning
• A dedicated filter bypassing engine
• Enhanced WAF evasion capabilities by WAF reversing
• Blind XSS support
• Proxy support
• Verbose output toggle

How does XSStrike decide if the injection was successful without a browser engine?

Because it knows what it is doing. It crafts payloads itself based on the context of the reflection, then it injects a payload only if the characters included in the payload are not being escaped. After injecting the payload, it compares the reflected string with the injected string using levenshtein algorithm.

Does that mean it doesn't have false negatives or false positives?

When XSStrike outputs a payload, it also prints it's two properties:

• Efficiency: The similarity between reflected and injected string 0%-100%
• Confidence: Confidence of developer on the payload, 0-10

If a payload has confidence 10 and it's efficiency is 100%. It will work for sure. Yes, it can have false negatives. For example, srcdoc or href specific injections aren't supported at all.

Tool xyz works against the target, while XSStrike doesn't!

Please use that other tool.

Can I copy it's code?

XSStrike v3 doesn't have a license atm and according to the international guidelines, using code from a software without license is illegal.

But I will give you credits, is that okay?

Nope, still illegal.

What if I want to embed it into a proprietary software?

You can mail me [email protected] to buy a license.