XSS Scanner

Scan type
  • Light scan

Read the Terms of Service

This specialized free tool shows results and findings that are a part of the premium Deep Scan version of our proprietary Website Scanner. If you’d like to try it, check out our paid subscriptions.

Test if a web application is vulnerable to Cross-Site Scripting. This tool had previously used OWASP ZAP, but now it uses our own proprietary scanning engine.

Try the Light Version of our scanner or sign up for a paid account to perform in-depth XSS scanning and discover high-risk vulnerabilities.


Sample XSS Scanner report

Here is a sample report from our XSS Scanner that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Quick summary of the findings and their risk ratings for fast prioritization

  • Detailed risk breakdown with ready-to-use recommendations

  • Visual representations of risk ratings for the discovered vulnerabilities

XSS Scanner Report Sample

How to use the pentesting tool

Use Cases for XSS Scanner

Powered by the Pentest-Tools.com proprietary scan engine (previously powered by OWASP ZAP), this scanner helps you test if the target web application is affected by Cross-Site Scripting vulnerabilities.

  • Website Penetration Testing

    Speed up your pentest with this online scanner. It’s already set up and configured with optimal settings for best results and performance. Just start the scan and get a notification when results are ready.

  • Security Self-Assessment

    Evaluate your own application’s security to detect weaknesses. Get clear, easy-to-follow recommendations to fix web vulnerabilities before real attackers exploit them.

  • Third-Party Website Audit

    If you are a web development company, you can use this report to prove to your clients that you have implemented proper security measures in their web application.

Better vulnerability discovery.Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

Pentest-Tools.com XSS Scanner Sample Report

XSS Scanner

Technical details


Cross-Site Scripting (XSS) is one of the most well-known web application vulnerabilities. It even has a dedicated chapter in the OWASP Top 10 project and it is a highly chased after vulnerability in bug bounty programs.

The risk of a Cross-Site Scripting vulnerability can range from cookie stealing, temporary website defacement, injecting malicious scripts, or reading sensitive page content of a victim user.

The scanner works in two steps:

  1. Spider the target: In this first step, the tool tries to identify all the pages in the web application, including injectable parameters in forms, URLs, headers, etc.
  2. Test for XSS: For each page discovered in the previous step, the scanner will try to detect if the parameters are vulnerable to Cross-Site Scripting and report them on the results page.

The table below shows the differences between the Light scan and the Deep scan:

Scanner capabilitiesLight scanDeep scan
Spider max URLs20500
Spider max duration1 minute15 minutes
Active scan max duration2 minutes30 minutes


The XSS scanner generates HTTP requests which can be flagged as attacks on the server-side (although they are harmless). Do not use it if you don't have proper authorization from the target website owner.


Target URLThis is the URL of the website that will be scanned. All URLs must start with http or https.
Light ScanThis scan is faster but less comprehensive than the deep scan.
Deep ScanThis is a complete Cross-Site Scripting assessment of the target web application.

How it works

The XSS Scanner had been using the OWASP ZAP scanning engine (which is one of the world’s most popular open-source security tools, actively maintained by hundreds of international developers). However, we improved upon it, and we're now using a proprietary internal scanning engine for the XSS Scanner, to your benefit.

The tool detects XSS vulnerabilities with a range of requests. First, the scanner injects a simple string in the tested parameter and checks if it is reflected on the response page. If the parameter is reflected, then the scanner will inject a piece of JavaScript code, including some special HTML characters (>, <, ", ') and it will try to see if they are returned in the response page without sanitization. If this is true, the page and parameter are declared vulnerable.

Get more information about Cross-Site Scripting and how to remediate this vulnerability on the dedicated OWASP XSS Page.