Hey Folks, In this tutorial we are going to discuss an XSS vulnerability finder called an “xssmap“. If you are a beginner then we can recommend this tool otherwise there is nothing better than manual bug hunting. Lets talk about this tool 🙂 ! The tool has been made in python language, hence we have to prepared yourself and configure python tool to use. In this tool you will get many features like: proxy user-agent parameters etc. with the help of whose we can do anonymous bug hunting as well as can also exploit the vulnerability without much effort.

Features of this Tool

  • URL encoding bypass
  • Case bypass
  • Support unicode encoding of HTML tag attribute value to bypass
  • Support HTML encoding to bypass the HTML tag attribute value
  • Support for flexible replacement of () ‘”to bypass

Lets take a look 🙂 !!


We do not need a lot of resources to download this tool just we should have only CURL tool which will download it automatically in our system. After the prerequisites are met, we will execute the following command.

After completing this, we will go to the directory which was created itself after completion of downloading.

All the work has been done now we are ready to start this tool and can execute and check the features of this tool by executing the below command.


Let’s take an example first and for the testing purposes we will use XVWA vulnerable web application which is vulnerable to the XSS vulnerability. You can analysis the given code in which we have given the location and parameter to the vulnerability where possible we may get vulnerability of XSS.


Great 🙂 You can see that it has successfully found the vulnerability and is even giving us the payload with the help of which we exploit the vulnerability.

After enter the payload onto the vulnerable parameter we get the following results.

In the same way you can use it on various web applications and detect vulnerabilities of XSS.

About the Author
Shubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Contact on Linkedin.

Leave a Reply

Your email address will not be published. Required fields are marked *