XSpear: Powerful XSS Scanner

Last Release: 03/01/2020     Last Commit: 02/20/2021

XSpear: Powerful XSS Scanner


Xspear is a powerful XSS scanning and parameter analysis tool on ruby gems, capable of both static and dynamic XSS vulnerability analysis. Therefore, it has the ability to scan, detect and analyze potential XSS vulnerabilities on web applications.

XSS [Cross-site Scripting]

Cross-site Scripting (XSS) is one of the most common hacking technique when it comes to the web application vulnerabilities, and occurs when a web app generate an output based on user input. If the web page contains input fields without proper validation and encoding, it will surely be caught by hacker’s eye.

For more details, check out: Cross-site Scripting (XSS) [explanation & details].

XSpear: Powerful XSS Scanning and Parameter Analysis Tool

It’s one of the XSS vulnerability scanning tools available on ruby gems that can run analysis on both responses and requests, including: pattern matching based XSS scanning, Blind XSS testing as well as testing at selected parameters.


  • Pattern matching based XSS scanning
  • Has the ability to detect prompt, alert and confirm event on headless browser (using Selenium)
  • Carries out both dynamic and static analysis
  • Can run tests on both web responses and requests to prevent XSS security bypass and reflected params
  • Supports Blind XSS testing
  • Ability to perform scans from Raw Files such as ZAP Request and Burp suite
  • Supports custom callback code to attack vectors and Verbose level (quit / nomal / raw data)
  • And so much more.

Dependencies (gems):

  • selenium-webdriver
  • terminal-table
  • colorize



$ gem install XSpear

Or (local file):

$ gem install XSpear-{version}.gem

Add the following line to app’s gemfile and execute:

gem 'XSpear'
$ bundle

Alternatively, install dependency gems with the following command:

$ gem install colorize
$ gem install selenium-webdriver
$ gem install terminal-table


Run -h to get a list of available options:

$ xspear -h
    )  (
 ( /(  )\ )
 )\())(()/(          (     )  (
((_)\  /(_))`  )    ))\ ( /(  )(
__((_)(_))  /(/(   /((_))(_))(()\
\ \/ // __|((_)_\ (_)) ((_)_  ((_)
 >  < \__ \| '_ \)/ -_)/ _` || '_|
/_/\_\|___/| .__/ \___|\__,_||_|    />
           |_|                   \ /<
                                 / \<
Usage: xspear -u [target] -[options] [value]
[ e.g ]
$ ruby a.rb -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'

[ Options ]
    -u, --url=target_URL             [required] Target Url
    -d, --data=POST Body             [optional] POST Method Body data
        --headers=HEADERS            [optional] Add HTTP Headers
        --cookie=COOKIE              [optional] Add Cookie
    -p, --param=PARAM                [optional] Test paramters
    -t, --threads=NUMBER             [optional] thread , default: 10
    -o, --output=FILENAME            [optional] Save JSON Result
    -v, --verbose=1~3                [optional] Show log depth
                                      + Default value: 2
                                      + v=1 : quite mode
                                      + v=2 : show scanning log
                                      + v=3 : show detail log(req/res)
    -h, --help                       Prints this help
        --version                    Show XSpear version 
        --update                     Show how to update

Example: Scanning XSS

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"

Example: Testing Blind XSS

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht"

# Set your blind xss host. <-b options>
Documentation Box
Download Box