DOM XSS Scanner

Last updated:

Passively scans all JavaScript on any webpage for DOM-based XSS patterns. Identifies dangerous sinks (innerHTML, eval, document.write, location assignments), maps user-controllable sources (URL params, hash, postMessage, referrer), and flags potential source-to-sink flows. Free alternative to Burp Suite Pro's passive DOM XSS scanner.

Drag to your bookmarks bar:

💉 Scan for XSS
1
Install — drag to your bookmarks bar
2
Visit any website
3
Click — scans all inline and loaded scripts for XSS patterns

Runs on any website — all processing in your browser.

💉

Install the bookmarklet, then use it on any website

DOM XSS Passive Scanner

DOM-based XSS occurs when JavaScript takes user-controllable input (sources) and passes it to dangerous functions (sinks) without sanitization. This tool performs passive analysis — scanning code patterns without executing payloads — to identify potential vulnerability paths.

Sinks vs Sources

Sinks are functions that can execute code or inject HTML: innerHTML, eval, document.write. Sources are user-controllable inputs: URL parameters, hash fragments, postMessage data. A source-to-sink flow without sanitization is a DOM XSS vulnerability.

Passive Scanning
Analyzing code patterns without sending attack payloads. Safer than active scanning but may produce false positives.

💉 DOM XSS Scanner — FAQ

Does this actively exploit vulnerabilities?

No — this is a passive scanner. It identifies dangerous code patterns but does not inject payloads or attempt exploitation.

Will it find all XSS vulnerabilities?

It finds DOM-based XSS patterns through static analysis. Reflected and stored XSS require server-side testing.

Why can't it read all external scripts?

Same-origin policy limits reading cross-origin script contents. The tool fetches same-origin scripts and analyzes them plus all inline scripts.

What's the difference from browser DevTools?

DevTools shows code but doesn't automatically scan for dangerous patterns. This tool systematically checks 16 sink patterns and 11 source patterns.

How do I verify a finding?

Check if user input flows from the identified source to the sink without sanitization. Use browser DevTools to set breakpoints on the sink function.

JS CVE Scanner

Detect outdated JS libraries with known CVEs.
🛡️

Security Header Audit

Audit CSP and security headers.
📝

Form Security Auditor

Scan forms for CSRF, autocomplete, and security issues.
🔌

API Endpoint Discovery

Find hidden API routes in JavaScript files.