xsscrapy – Fast, thorough, XSS/SQLi spider

Give it a URL and it’ll test every link it finds for cross-site scripting and some SQL injection vulnerabilities. See FAQ for more details about SQLi detection.

From within the main folder run:

./ -u

If you wish to login then crawl:

./ -u -l loginname

If you wish to login with HTTP Basic Auth then crawl:

./ -u -l loginname --basic

If you wish to use cookies:

./ -u --cookie "SessionID=abcdef1234567890"

If you wish to limit simultaneous connections to 20:

./ -u -c 20

If you want to rate limit to 60 requests per minute:

./ -u -r 60

XSS vulnerabilities are reported in xsscrapy-vulns.txt


wget -O
pip install -r requirements.txt

May need additional libraries depending on OS. libxml2 libxslt zlib libffi openssl (sometimes libssl-dev)


  • Cookies
  • User-Agent
  • Referer
  • URL variables
  • End of URL
  • URL path
  • Forms both hidden and explicit


  • If it gives an error : ImportError: cannot import name LinkExtractor. This means that you don’t have the latest version of scrapy. You can install it using: sudo pip install --upgrade scrapy.
  • It’s called XSScrapy, so why SQL injection detection too? There is overlap between dangerous XSS chars and dangerous SQL injection characters, namely single and double quotes. Detecting SQL injection errors in a response is also simple and nonCPU-intensive. So although 99% of this script is strongly geared toward high and accurate detection of XSS adding simple SQL injection detection through error message discovery is a simple and effective addition. This script will not test for blind sql injection. Error messages it looks for come straight from w3af’s sqli audit plugin.


%d bloggers like this: