In my own spare time I like to participate in the bug bounty programs. They are a hard challenge, but it is satisfying to find vulnerabilities in big companies. I usually look for XSS vulnerabilities, for this reason I have written a little python script to automate the search of XSS.


XSSSonar is an open source tool to look for XSS vulnerabilities on a web page, it is written in Python 2.x for now, but I hope to rewrite it in Python 3.x. You can download it from the GitHub repository.

A little trick to properly use XSSSonar with POST parameters: in the source code of the site you find the HTML tag where the POST parameters are and check if there is the attribute action. If so, the value of attribute is the URL to type in XSSSonar. It is better to assign default values to POST parameters to have a more precise scan.