Pattern-based detection
Tests parameters with a tuned payload set to flag reflected XSS.
All projects
XSS Scanner · Ruby
XSpear
A powerful XSS scanning and parameter-analysis tool and gem. Pattern-based detection plus a headless browser to confirm alert, confirm and prompt firings.
Ruby
1.3k+
MIT
Archived
1.3K+
GitHub stars
3
Output formats
Selenium
Browser verify
Gem
Ruby package
Capabilities
Scan, confirm, analyze
A long-running Ruby XSS scanner (now archived, succeeded by Dalfox) — pattern matching backed by real browser verification.
Browser verification
A headless Selenium browser confirms real alert, confirm and prompt firings.
Blind XSS
Built-in blind XSS testing, compatible with XSS Hunter, ezXSS and HBXSS.
Bypass and filter analysis
Detects filtered rules — event handlers, HTML tags and special characters.
Parameter analysis
Reports reflection points, SQL errors and missing security headers.
Raw request input
Replay request and response files exported from Burp Suite or ZAP.
Quickstart
Scan a parameter for XSS
$ gem install XSpear
# scan a single URL
$ xspear -u 'https://testphp.vulnweb.com/listproducts.php?cat=1'
[*] reflected param: cat
[I] found XSS payload (alert fired)
# blind XSS across all params, 30 threads
$ xspear -u 'https://target.tld/search?q=1' -b 'https://x.xss.ht' -a -t 30
Illustrative output.
Hunt reflected XSS.
Install the XSpear gem, or try Dalfox for ongoing development.