Overview
XSS Exploiter provides callback endpoints that capture data when XSS payloads execute in victim browsers. Use it to validate XSS impact by collecting cookies, screenshots, keystrokes, and page content. This feature is sometimes referred to as XSS Handlers in older documentation. XSS Exploiter is an exploit helper tool: it receives callbacks from injected payloads to prove XSS exploitation. It does not add data to your Attack Surface and does not generate findings. Captured data is displayed in a custom report.How it works
1
Create a handler
Configure what data to capture and get a unique handler ID.
2
Generate payload
Pick a delivery method and copy the JavaScript payload.
3
Inject payload
Insert the payload into a vulnerable application.
4
Capture callbacks
When a victim’s browser executes the payload, data is sent to your handler.
5
Review results
View captured data in the handler’s report.
Creating a handler
When creating a handler, configure what data to capture:Enable only the options you need. Capturing screenshots increases payload size and may be blocked by some Content Security Policies.
Payload format
After creating a handler, you get a JavaScript payload to inject. Pick the one that fits your injection context.Script tag (default)
script-src from app.pentest-tools.com (e.g. script-src *).
Fetch + eval
connect-srctoapp.pentest-tools.com, sofetch()can reach the endpoint (e.g.connect-src *)script-src 'unsafe-eval', so theevalcall can run the fetched code
Access-Control-Allow-Origin: *, so the fetch can read the body cross-origin.
Captured data
For each callback received, the handler captures:Handler limits
Handlers automatically expire after 60 days. Create a new handler if you need to continue testing.
Ethical considerations
- Only test applications you have authorization to assess
- Minimize data capture, collect only what’s needed to prove the vulnerability
- Delete captured data after the engagement
- Do not use captured session tokens to access victim accounts beyond demonstration
- Report findings responsibly to the application owner
Follow-up actions
After capturing XSS callbacks:- Document the finding: Include captured data (sanitized) in your security report
- Assess cookie scope: Check if captured cookies grant access to sensitive functionality
- Test other injection points: Use Website Scanner to find additional XSS vulnerabilities
- Check for stored XSS: Verify if the payload persists and affects other users
- Review CSP: Analyze Content Security Policy headers that could mitigate XSS