ezXSS – For Testing (Blind) Cross Site Scripting

Cross Site Scripting

ezXSS is a tool that eases the way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.

Current features

Some features ezXSS has

  • An easy to use dashboard with statics, payloads, view/share/search reports and more
  • A payload generator
  • An instant email alert on payload
  • A custom javascript payload
  • An Enable/Disable screenshots
  • An avenue for preventing double payloads from saving or alerting
  • A block domains
  • To share/distribute reports with a direct link or with other ezXSS users
  • Easily manage and view reports in the dashboard
  • Secure your login with extra protection (2FA)
  • The following information is collected on a vulnerable page:
    • The URL of the page
    • IP Address
    • Any page referer (or share referer)
    • The User-Agent
    • All Non-HTTP-Only Cookies
    • All Locale Storage
    • All Session Storage
    • Full HTML DOM source of the page
    • Page origin
    • Time of execution
    • Screenshot of the page
  • its just easy 🙂


A host with PHP 7.1 or upA domain name (consider a short one)There must be an SSL if you want to test on https websites (consider Cloudflare or Let’s Encrypt for a free SSL)


ezXSS is easy to install

  • Should duplicate the repository and put the files in the document root
  • Should create an empty database and provide your database information in ‘src/Database.php’
  • Visit /manage/install in your browser and setup a password and email
  • Done! That was easy right?


For a demo visit demo.ezxss.com/manage with password demo1234. Please note that some features might be disabled in the demo version.



Leave a Reply

Leave a Reply