XSS-Freak: XSS Scanner Fully Written in Python

XSS-Freak: XSS Scanner Fully Written in Python

XSS-Freak is a tool fully written in Python3 to perform cross-site scripting. It works as an XSS scanner to crawls the whole website and scans all possible directories and links to expand the scope of its attack. After that, it activates the search to get information about input fields. Next, it will begin several XSS payloads. If the website has an input vulnerable and unsafe to the XSS attack, the XSS-Freak will find it out within seconds.

XSS-Freak: XSS Scanner Fully Written in Python3

XSS also is known as cross-site scripting is a kind of vulnerability found in web applications. With the help of XSS, attackers can inject malicious scripts into trusted web pages.

Cross-site Scripting (XSS) is one of the most common hacking technique when it comes to the web application vulnerabilities, and occurs when a web app generate an output based on user input. If the web page contains input fields without proper validation and encoding, it will surely be caught by hacker’s eye.

XSS allows hackers to run their malicious JavaScript in the victim’s browser which can hijack user sessions, redirect user to a “non-friendly” site, spread malware, create false requests, steal user identity and sensitive data such as: credentials, passwords, credit card numbers, etc.

Security flaws in the web applications allow these attacks to happen very often. These flaws are quite common and occur in web applications that require and input from a user.

To learn more about Cross-site Scripting (XSS) and its types, check out Cross-site Scripting (XSS) [explanation & details].


  • Bunch of XSS Payloads
  • Fully written in Python3

Supported Platforms:

  • Linux 


  • Internet connection with high speed
  • A PC that has the ability to handle the large number of threads concurrently

How does XSS-Freak work

To develop an attack the target website and a list that contains various XSS payloads are needed. Now, the tool will start scanning the main website including indexed pages to find possible directories and links in the website. Then it will scan all found directories for more links that are not found in an initial scan and include them into the attack scope. Further, it will scan all links found in both scans.

After that, the XSS-Freak tool will add all HTML inputs into attack scope. The tool will initiate the attack on these HTML inputs using the XSS payloads from the list. If the web application inputs aren’t sanitized properly, the script will detect vulnerabilities in seconds. 


  • Multithreading for fast and efficient processing
  • Crawling ability over the complete websites


  • Not supported on the phones
  • Requires high speed Internet connection
  • Requires advanced hardware

XSS-Freak Install

Clone the Github repo:

$ git clone https://github.com/hacker900123/XSS-Freak

Install the reguirements using pip3:

$ pip3 install -r requirements.txt

And run:

$ python3 XSS-Freak.py

>> [+] Give Me A Target To Destroy
>> [?] Enter Target:
>> [+] Enter File Containing XSS Payloads to Try: payloads.txt
>> [*] Searching Target For Possible Links And Directories 
>> [+] 7 Links Have Been Found 
>> [!] No Directories Have Been Found 
>> [*] I Will Sleep For 5 Minutes And My Threads Will Initialize Now And Search Each Link For HTML Inputs. Cross Your Fingers
>> [+] My Threads Have Done Working And The Total Amount Of Inputs Found On All Possible Webpages Is: 3
>> [*] I Will Launch A Bunch Of XSS Payloads Towards The Target With The Use Of Multithreading For Efficiency, Hope For The Best 
>> [*] Note: It Might Take A Lot Of Time Depending On Your Internet Speed, Amount Of Links and Inputs. And Your Processing Power
>> [+] Vulnerable Inputs Were Found Successfully
>> [+] Vulnerable Input ==> uname
>> [?] Go XSS’em Boi    
Download Box