-
Notifications
You must be signed in to change notification settings - Fork 0
Capabilities
CommonHuman-Lab edited this page May 18, 2026
·
1 revision
Full list of what StingXSS detects and tests.
| Capability | Details |
|---|---|
| Reflected XSS | Unique probe markers, context detection, context-aware payloads |
| Confirmed Browser XSS | Headless Chromium intercepts alert() / confirm() — no false positives |
| DOM XSS | Static source-to-sink analysis — 28 sources, 43+ sinks across 5 categories: XSS, open redirect, link manipulation, data manipulation, prototype pollution |
| Blind XSS | 10 OOB callback variants across crawled forms |
| Stored XSS | Inject via params/headers, revisit candidate pages to confirm execution |
| CRLF / HTTP Response Splitting | 6 CRLF sequence variants injected into params and reflected headers |
| Cross-Site Tracing (XST) | TRACE method detection — HttpOnly cookie exfil via CAPEC-107 |
| Header injection | Arbitrary headers tested for reflection and stored execution |
| SPA / hash-route support | Discovers #/path?param= invisible to HTTP-layer scanners |
| 28 HTML/JS contexts |
html_body, attr_*, script_string/bare/template, event_handler, url_attribute, css, html_comment, Angular/Vue templates + more |
| WAF fingerprinting | Cloudflare, Akamai, Imperva, AWS WAF, ModSecurity, Sucuri, F5 BIG-IP, Barracuda, Wordfence, FortiWeb |
| WAF evasion | 12 transforms: case mixing, HTML encode, Unicode escape, double URL encode, chunked tags, null byte, newline inject, comment break, backtick attr, CSS expression, String.fromCharCode, unescape() |
| data: URI payloads | Plain and base64-encoded data:text/html, data:image/svg+xml, XHTML, meta-refresh, SVG use href, iframe variants |
| CORS misconfiguration | Dynamic reflection, bypass patterns, credential exposure — 7 patterns |
| Prototype pollution | Parameter-based prototype pollution payload injection |
| DOM clobbering | Payloads targeting clobberable DOM properties |
| Clickjacking | Missing/misconfigured X-Frame-Options and frame-ancestors
|
| HSTS | Missing or weak Strict-Transport-Security headers |
| SRI |
<script> and <link> tags missing integrity attributes |
| JSONP | Callback parameter detection and exploitation |
| Mixed content | HTTPS pages loading HTTP resources |
| Open redirect | Parameter-based redirect detection |
| GraphQL XSS | Probes 9 common GraphQL paths, injects into string-typed arguments, confirms reflection |
| WebSocket XSS | Discovers WebSocket endpoints from page source, injects payloads as messages, confirms marker reflection (requires stingxss[websocket]) |
| Vulnerable libraries | Known CVEs in 10+ detected client-side JS libraries (jQuery, AngularJS, Lodash, Bootstrap, DOMPurify, …) |
| Crawler | Multi-threaded BFS, same-origin, captures hidden inputs, follows data-href/formaction SPA links |
| External JS | Fetches and analyses <script src> files for DOM XSS |
| Source map recon | Recovers original application source from .js.map files during crawl |
| Bulk scanning |
-L / --url-list scans a whole target list in one shot |
StingXSS classifies where input lands before choosing payloads:
-
html_body— raw HTML between tags -
attr_double,attr_single,attr_unquoted— HTML attribute values -
script_string,script_bare,script_template— inside<script>blocks -
event_handler— inline event attributes (onclick,onerror, etc.) -
url_attribute—href,src,actionand similar URL sinks -
css— style attribute or<style>block values -
html_comment— content inside<!-- ... --> - Angular / Vue template expressions
Payloads are chosen for the detected context — not sprayed blindly.