Powered by OWASP ZAP, this scanner helps you test if the target web application is affected by Cross-Site Scripting vulnerabilities.
Website Penetration Testing
Speed-up your penetration test with this online scanner. It is already set-up and cofigured with the optimal settings for best results and performance. Just start the scan and come back later for results.
You can perform a self-security assessment in order to detect weaknesses in your own application. This will allow you to fix the vulnerabilities before being hit by real attackers.
Third-Party Website Audit
If you are a web development company, you can also show this report to your clients and prove that you have implemented the proper security measures in the application.
Cross-Site Scripting (XSS) is one of the most well known web application vulnerabilities. It even has a dedicated chapter in the OWASP Top 10 project and it is a highly chased vulnerability in bug bounty programs.
The risk of a Cross-Site Scripting vulnerability can range from cookie stealing, temporary website defacement, injecting malicious scripts or reading sensitive page content of a victim user.
The scanner works in two steps:
Spider the target: In this first step, the tool tries to identify all the pages in the web application, including injectable parameters in forms, URLs, headers, etc.
Test for XSS: For each page discovered in the previous step, the scanner will try to detect if the parameters are vulnerable to Cross-Site Scripting and report them in the results page.
The table below shows the differences between the Light scan and the Full scan:
Spider max URLs
Spider max duration
Active scan max duration
The XSS scanner generates HTTP requests which can be flagged as attacks on the server side (although they are harmless). Do not use it if you don't have proper authorization from the target website owner.
This is the URL of the website that will be scanned. All URLs must start with http or https.
This scan is faster but less comprehensive than the full scan.
This is a complete Cross-Site Scripting assessment of the target web application.
How it works
The XSS Scanner uses the OWASP ZAP scanning engine which is one of the world’s most popular open source security tools, actively maintained by hundreds of international developers.
XSS detection is performed with a couple of requests.
More information about Cross-Site Scripting and how to remediate this vulnerability can be found in the dedicated OWASP XSS Page.
This tool costs 20 credits but you have 40 credits left.