XSS Hunter v2.0 is a fully automated, end-to-end Reflected XSS vulnerability scanner built specifically for bug bounty hunters. It chains together industry-standard open-source tools into a single seamless pipeline β from subdomain enumeration all the way to confirmed Proof-of-Concept XSS vulnerabilities.
No more manual chaining of tools. No more missed parameters. Just one command.
python3 xsshunter.py -d target.comTarget Domain
β
βΌ
βββββββββββββββββββββββββββ
β 1. Subfinder β β Subdomain Enumeration
ββββββββββββ¬βββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β 2. Active Check β β Filter Live Subdomains (20 Threads)
ββββββββββββ¬βββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β 3. ParamSpider β β Parameter Discovery (No Timeout)
ββββββββββββ¬βββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β 4. Smart Filter β β Single Params + Remove login/account URLs
ββββββββββββ¬βββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β 5. Deduplication β β Remove Duplicate URLs
ββββββββββββ¬βββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β 6. FUZZ β 123 β β Dalfox Compatibility Fix
ββββββββββββ¬βββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β 7. Dalfox Scan β β Reflected XSS + WAF Evasion
ββββββββββββ¬βββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β 8. Extract POCs β β vulnerableurl.txt π―
βββββββββββββββββββββββββββ
| Feature | Description |
|---|---|
| π Subdomain Enumeration | Automatically discovers subdomains using Subfinder |
| β Active Subdomain Check | Filters only live subdomains using 20 parallel threads |
| π·οΈ Parameter Discovery | Collects all URLs and parameters using ParamSpider β no timeout, handles 100k+ parameters |
| π― Smart URL Filtering | Automatically removes login/account URLs, filters single parameter URLs |
| π Duplicate Removal | Removes duplicate URLs before scanning |
| π Reflected XSS Scan | Dalfox with --mining-dom=false β focused Reflected XSS only |
| π‘οΈ WAF Evasion | Built-in --waf-evasion β works against WAF protected sites |
| π Clean Output | Filters WAF spam lines β only important output shown on screen |
| π― POC Extraction | Saves confirmed vulnerable URLs to a separate file |
| Feature | Description |
|---|---|
| π Internet Auto-Recovery | Waits on disconnect, automatically resumes on reconnect |
| β‘ Rate Limit Detection | Auto-increases delay on 429 detection + 30s wait |
| π Error Logging | All errors saved to a timestamped log file |
| π Graceful Exit | Progress saved even on Ctrl+C |
| π Auto Resume | Interrupted scans resume from where they left off |
| Feature | Description |
|---|---|
| π Live Progress Bar | Real-time status for every step |
| π’ ParamSpider Live Counter | Shows real-time parameter count while collecting |
| βοΈ Default + Custom Mode | Use Dalfox default settings or specify custom flags |
| π» Single Command | Entire workflow in one command |
| Tool | Type |
|---|---|
| Python 3 | Pre-installed on Kali Linux |
| Subfinder | Go tool |
| ParamSpider | Python package |
| Dalfox | Go tool |
Clone the repo and run the installer β it will install everything automatically:
git clone https://github.com/EnCrYpTeD05/XSS-HUNTER.git
cd XSS-HUNTER
chmod +x install.sh && ./install.sh# Python dependencies
pip install requests paramspider
# Go tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/hahwul/dalfox/v2@latestpython3 xsshunter.py -d target.compython3 xsshunter.py -d target.com --dalfox-mode custom --workers 5 --delay 500 --timeout 30 -d, --domain Target domain (required)
--threads Threads for active subdomain check (default: 20)
--dalfox-mode 'default' or 'custom' (default: default)
--workers Dalfox workers in custom mode (default: 5)
--delay Dalfox delay in ms (default: 500)
--timeout Dalfox timeout in seconds (default: 30)
| File | Description |
|---|---|
subdomains.txt |
All discovered subdomains |
activesubdomains.txt |
Live/active subdomains only |
parameters.txt |
All discovered parameters (merged) |
singleparam.txt |
Filtered single-parameter URLs |
withoutfuzz.txt |
Deduplicated URLs ready for scanning |
scan |
Full Dalfox scan output |
vulnerableurl.txt |
Confirmed vulnerable URLs π― |
xss_hunter_errors_*.log |
Error log file |
Always clean up before scanning a new target domain:
rm -rf results/ parameters.txt singleparam.txt withoutfuzz.txt subdomains.txt activesubdomains.txt scan vulnerableurl.txt scanned_urls.txt pending_urls.txt[*] Starting scan [SID:4][4/64][6.25%] / URL: http://target.com/page.php?id=1
[*] Valid target [ code:200 / size:100 ]
[W] Reflected Payload in HTML: id=><script>alert(1)</script>
[POC][R][GET][inHTML-URL] http://target.com/page.php?id=1%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
[V] Triggered XSS Payload (found DOM Object): id="><IMG SRC=x onpageshow="alert(1)" class=dalfox>
[POC][V][GET][inHTML-URL] http://target.com/page.php?id=1%22%3E%3CIMG+SRC%3Dx...
[*] [duration: 31m][issues: 5] Finish Scan!
This tool is intended strictly for authorized security testing only:
- β Authorized bug bounty programs
- β CTF competitions
- β Explicitly authorized penetration testing engagements
- β Your own systems/applications
Always verify the target is in-scope before testing. Follow the program's rules and terms of service at all times.
The author is not responsible for any misuse or damage caused by this tool. Unauthorized use of this tool against systems you do not have permission to test is illegal and unethical.
This project is licensed under the MIT License β see the LICENSE file for details.
Copyright (c) 2026 EnCrYpTeD05
EnCrYpTeD05 | GitHub: @EnCrYpTeD05 π Website: https://encrypted05.github.io/
"Hack Smart. Hunt Hard." π―
β If this tool helped you find bugs, drop a star on the repo!