XSSone is an automated bug bounty tool designed to find Reflected XSS vulnerabilities using a complete pipeline:
Subdomain → Active → Parameters → Filter → Dalfox → XSS
- 🔍 Subdomain discovery using subfinder
- 🌐 Active domain filtering (multi-threaded)
- 🧠 Parameter collection using paramspider
- 🎯 Single parameter filtering (high XSS probability)
- 🧹 FUZZ cleaning & payload preparation
- ⚡ XSS detection using dalfox
- 🌍 Internet auto-check & retry
- 🖥️ Clean CLI + Banner
- 💾 Auto-saves results
## 📦 Installation
Clone the repository:
git clone https://github.com/winter3aki/XSS.one.git
cd XSS.oneMake sure these tools are installed:
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latestpip install paramspidersudo apt update
sudo apt install build-essential procps curl file git
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.bashrc
eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
brew doctor
brew install dalfoxpip install requestsRun the tool:
python3 XSSone.pyYou will be prompted:
[?] Enter target domain (example.com):Domain Input
↓
Subfinder (subdomains)
↓
Active Check
↓
ParamSpider (parameters)
↓
Filter Single Params
↓
Clean FUZZ
↓
Dalfox Scan
↓
Extract XSS (POC)
| File | Description |
|---|---|
subdomains.txt |
All discovered subdomains |
active.txt |
Active domains |
parameters.txt |
All collected URLs |
singleparam.txt |
Single parameter URLs |
nofuzz.txt |
Cleaned URLs |
scan.txt |
Dalfox full scan |
vulnerable.txt |
🎯 Final XSS results |
[POC][GET] https://target.com/page.php?q=<script>alert(1)</script>
This tool is for educational and authorized security testing only.
❌ Do NOT scan targets without permission ❌ You are responsible for your actions
Winter AKI
If you like this project:
- ⭐ Star the repo
- 🍴 Fork it
- 🛠️ Contribute
👉 https://github.com/winter3aki/XSS.one.git