By Brute Logic
Research & Development in Offensive Security.

 
Back to Top

State of the art in XSS Testing

CONFIDENCE BY DESIGN

KNOXSS has a high level of confidence by design. It has almost zero false positive rate (since it has to pop the alert box to prove vulnerability) and low false negative rate regarding its XSS coverage. Its extensive list of covered XSS cases also makes it the best option out there for this kind of vulnerability.
Click to see how KNOXSS compares to top free XSS tools.
FEATURES
KNOXSS RULES_ KNOXSS RULES_

GAME CHANGER_

Test with the smartest JavaScript injections ever.
KNOXSS-UI-2024
KNOXSS-UI-2024-Popup
loading-line

Superior Technology

KNOXSS detects and proves XSS flaws automatically with little to no effort of the user. Just feed KNOXSS with your target URL and it will pop an alert box if it's exploitable according to its dozens of XSS covered cases.

KNOXSS-bypass-testimony
knoxss-community-ack-1
KNOXSS-12k-bounty

Community Acknowledgement

KNOXSS is online for 7 years already and it's responsible for several success cases with thousands of PoCs. From bug hunters to penetration testers, KNOXSS was used by more than 18k users throughout this time.

KNOXSS-Support-2
Captura de tela 2024-02-10 055935
knoxss-outstanding-support-2-4x

Outstanding support

KNOXSS service is able to offer fast technical support via X (former Twitter) chat sometimes in a matter of minutes. It's provided by knowledgeable people with experience and deep understanding of automated testing and Cross-Site Scripting.

GAME CHANGER_ GAME CHANGER_

FUTURE IS HERE_

Join the next revolution in offensive security tools.

FEATURING

TYPES

 

Source-based XSS

  • HTML Context
  • JavaScript Context
  • XML Context

.

DOM-based XSS

  • Document Sink
  • Location Sink
  • Execution Sink

 

Blind XSS (email report)

  • Custom Payloads
  • Automatic Injection

INJECTION

 

Input Scope

  • POST Body parameters (value and name)
  • URL Parameters (value and name)
  • URL Path (3 levels deep)
  • URL Fragment

 

Input Techniques

  • Base64 and Double Encode
  • Multi injection and Multi Context
  • Parameter Guessing

 

Input Authentication

  • User provided headers

EXCLUSIVE

 

Modes

  • XSS Polyglots
  • PoC Checking

 

ReferenceError Fix

  • JS Object Hoisting
  • JS Hoisting Override

 

Filter Bypass

  • Fully validated URL and email formats
  • Hardcoded Obfuscation
  • Evasion using I/O differences
  • Basic CSP bypass