Find XSS
that scanners miss.

POKEXSS is a modern cross-site scripting scanner built for bug hunters and red teams. Reflected, DOM, Stored, Blind — plus GraphQL, WebSocket, JSON API, prototype pollution, open redirect, and 16 other attack surfaces. Raw-request mode, per-plant attribution, vendor-specific WAF bypass, and a 34,000+ payload arsenal that knows the modern web.

Reflected DOM Stored Blind + Plant tracking Raw request (Burp paste-and-go) GraphQL · WebSocket · JSON API Browser extension Email + Discord alerts WAF bypass — 50+ techniques Residential IP routing — bypass datacenter blocks
SEE IT IN ACTION

Watch POKEXSS land a real XSS in 14 seconds

A scripted walkthrough of the URL scanner — JS param mining, SPA browser fallback, Cloudflare vendor-specific bypass, HIGH-severity finding captured. The real thing looks identical.

Scripted walkthrough — your real scans show the same flow against your targets.
WHAT NO OTHER XSS TOOL OFFERS

Why hunters switch to POKEXSS

Every paid XSS scanner does reflected and DOM. Here’s what we do that nobody else does — and why the answer keeps coming back “POKEXSS” on r/bugbounty.

UNIQUE TO US
📥

Raw-request mode (Burp paste-and-go)

No other XSS-as-a-service scanner accepts a raw HTTP request. Paste straight from Burp Repeater, drop {INJECT} where you want the payload, and we replay the exact request — headers, cookies, JSON body, multipart, CSRF tokens, everything. No re-encoding, no field guessing, no “please fill out our form.”

UNIQUE TO US
📍

Per-plant attribution for blind XSS

Label every payload before you plant it — “acme.com — feedback form,” “internal ticket #4521.” When the hit fires three weeks later in an admin tool you’ll never see, the alert tells you exactly where it came from. Every other blind XSS service just gives you an IP and a shrug.

UNIQUE TO US
📸

Full victim capture, every hit

JPEG screenshot of what the victim saw, the complete DOM, cookies, localStorage, IP, user-agent — in one card. Survives strict-CSP pages by falling back to a JSON beacon. The competition ships you a one-line callback URL and calls it a feature.

UNIQUE TO US
🧩

Browser extension — passive scan as you browse

Arm a domain and the extension auto-scans every page you navigate to — parameters, forms, headers, blind stingers — without you clicking anything. Browse the target normally; POKEXSS finds the XSS in the background. No other XSS tool does this.

UNIQUE TO US
🧱

16 attack surfaces — not just URL params

GraphQL variables, WebSocket frames, JSON API bodies, XML/SOAP, prototype pollution gadgets, mXSS sanitizer bypass, file uploads, postMessage origin bypass, cookie values, CRLF injection, open redirect chains, path segments — all tested in the same scan. No other XSS scanner covers more than a third of this list.

🔔

Email and Discord alerts

Two independent channels with separate on/off toggles. Get the email for the receipt, get the Discord ping for the “holy crap it fired” moment with your team in #findings. Test the webhook from the dashboard before you ever plant a payload.

🔐

Self-hosted & privacy-first

Scan results live in memory and auto-purge after an hour. Blind captures cap at 200 per account and screenshots evict after 30 days. Bulk-delete the lot in one click. Your POCs aren’t training data for somebody else’s LLM.

File-upload XSS that actually fires

SVG, HTML, and polyglot payloads — with content-type sniffing so the payload survives MIME validation. Most scanners can’t test file fields at all; we treat them as a first-class injection point.

HOW WE STACK UP

POKEXSS vs. the other XSS tools

Honest feature matrix — what each tool actually ships, based on publicly documented features as of May 2026. Spot something wrong? Let us know and we’ll fix it.

FEATURE POKEXSS Knoxss XSS Hunter Pro xss0r Dalfox Nuclei XSStrike Burp Pro
Reflected XSS partial
DOM XSS (headless + sink hooks) partial partial
Stored XSS (form discovery + render) partial partial
Blind XSS with per-plant attribution
Label each payload before planting; alert tells you where it fired
partial partial partial
Full victim capture on blind hit
Screenshot + DOM + cookies + localStorage + IP + UA + WebRTC + IndexedDB
partial
Raw HTTP request (Burp paste-and-go)
Replay exact request shape; only mutate the marked field
partial
WAF bypass — vendor-specific payloads
Cloudflare, Akamai, AWS WAF, Imperva, Azure — 50+ techniques
partial partial partial partial
JS file param mining
Extracts hidden API params from bundled JS files automatically
partial
GraphQL / WebSocket / JSON API XSS
Elite tier — attack surfaces other scanners skip entirely
partial partial
File-upload XSS (SVG, HTML, polyglot) partial partial
CSP active bypass + DOM clobbering + postMessage partial
Open redirect → XSS detection partial partial partial
Discord / Telegram alerts
POKEXSS: Discord + email · xss0r: Telegram · XSS Hunter Pro: email
partial partial
REST API (X-API-Key) partial partial
Self-hosted option
Scan results auto-purge (privacy) partial
ships in the product · partial exists but limited · not offered. Third-party feature claims sourced from each vendor’s public documentation as of May 2026.

Built for finding real bugs

Not a CVE feed dressed up as a scanner — POKEXSS focuses on one bug class and goes deeper than anything else, end-to-end from injection to capture.

❯_

Reflected XSS

Per-parameter probing across 20 injection contexts (HTML body, attributes, JS strings, CSS, URL attrs). SPA browser fallback catches client-side reflection that raw HTTP scanners miss. 50+ mutation strategies, adaptive filter fingerprinting, 34,000+ payload corpus.

DOM XSS

Headless Chromium with hooked sinks (innerHTML, eval, document.write, setTimeout, Function) traces taint from every source — URL hash, query params, localStorage, sessionStorage, history.state, window.name, document.referrer. Proves execution, not just reflection.

💾

Stored XSS

Discovers forms on the page (including JS-rendered ones), submits unique markers, crawls same-origin pages to detect persistence, then re-visits in a real browser to confirm execution. Catches the bugs that fire in admin panels days later.

Blind XSS with plant tracking

Stored injections that fire weeks later in admin tools you’ll never see. Label every payload before you plant it. When the hit fires, the alert tells you exactly where it came from. Ships with 13+ stinger payload shapes including srcdoc, import(), CSS beacon, and cookie exfil.

📸

Full victim capture

When a blind payload fires: JPEG screenshot, complete DOM, cookies, localStorage, sessionStorage, IP, user-agent, referrer — in one card. Survives strict-CSP pages via JSON beacon fallback. The competition ships you a callback URL and calls it a feature.

📥

Raw request scanning

Paste a full HTTP request from Burp Repeater, mark the injection point with {INJECT}, and we replay the exact shape — headers, cookies, JSON body, multipart, CSRF tokens, everything. Auth-expiry safeguard aborts on 401 so you don’t waste payloads on a dead session.

WAF detection & bypass

Fingerprints 20+ WAFs (Cloudflare, Akamai, AWS WAF, Imperva, Azure, F5, ModSecurity…), then fires 50+ bypass techniques — vendor-specific payload shapes, gzip body encoding, HTTP verb tampering, path confusion, parameter fragmentation, fullwidth Unicode, base64 atob(), constructor chains. Rate-limit evasion keeps your IP clean on 429.

🧵

Header & path injection

Tests Referer, User-Agent, X-Forwarded-For, cookie values, and CRLF injection in headers. Also injects into URL path segments (REST API numeric IDs and UUIDs), open redirect params (?next=, ?redirect=), and URL fragments for SPA hash routers.

💬

postMessage & DOM clobbering

Enumerates window.addEventListener('message') listeners and probes with 6 payload shapes (string, JSON object, template). Tests origin validation bypass via synthetic MessageEvent. DOM clobbering submits id/name-clobbering HTML and verifies window[marker] resolves to an HTMLElement.

🛡

CSP audit + active bypass

Analyzes Content-Security-Policy for unsafe-inline, unsafe-eval, dangerous sources, missing base-uri, and object-src. Then actively probes whitelisted script-src hosts for JSONP gadgets, angular.js CDN bypass, and data: URI abuse — turning weak CSP into a confirmed XSS.

🌐

GraphQL · WebSocket · JSON API · XML

Auto-detects GraphQL endpoints, introspects the schema, and fuzzes every String-typed variable. Intercepts live WebSocket frames and injects into JSON message keys. Fuzzes application/json request bodies key-by-key. Tests XML/SOAP endpoints with text node injection. Attack surfaces every other XSS scanner skips.

🧬

Prototype pollution & mXSS

Probes ?__proto__[key]=payload and ?constructor[prototype][key]=payload for Object.prototype poisoning, then tries known gadget chains (jQuery, Angular, Handlebars). Fingerprints DOMPurify, sanitize-html, and js-xss versions and fires version-specific mXSS bypass payloads.

🔍

JS param mining & smart discovery

Automatically fetches same-origin JS bundles and extracts hidden API param names from fetch calls, URLSearchParams, axios, jQuery Ajax, and template literals. Discovered params are added to the scan instantly — no separate tool needed. Path segment injection tests REST API /users/123 IDs too.

Form auto-discovery

Crawls the page for forms including JS-rendered ones (SPA hydration), extracts every input, refreshes CSRF tokens before firing, and submits each field with payloads via the correct method and encoding. Prevents the 403s that kill most form scanners on CSRF-protected apps.

Full REST API

Every scan mode is automatable via X-API-Key. Wire POKEXSS into GitHub Actions, your recon pipeline, or custom hunting tooling — same engine, no UI required. Available on Pro and Elite tiers.

🔐

Privacy by design

Scan results live in memory only and auto-expire after one hour. Blind hits cap at 200 per account, screenshots evict after 30 days. Hit “forget” and the data’s gone — bulk-delete or one-shot. Your POCs are yours, not training data.

AUTOMATE IT

Full REST API — wire it into your hunting pipeline

Every scan mode is automatable via X-API-Key. Drop POKEXSS into your recon chain, CI pipeline, or custom tooling — same engine, no UI required. Available on Pro and Elite tiers.

CURL
# Submit a scan
curl -X POST https://pokexss.com/api/scan \
  -H "X-API-Key: pk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://target.example.com/?q=test",
    "modes": ["reflected", "dom", "blind"],
    "extra_params": ["search", "ref"],
    "cookies": {"session": "abc"}
  }'

# Response
{
  "job_id": "j_8f2a91c4",
  "state": "queued",
  "tier": "pro"
}

# Poll for findings
curl https://pokexss.com/api/jobs/j_8f2a91c4 \
  -H "X-API-Key: pk_live_..."
PYTHON
import requests, time

API = "https://pokexss.com/api"
KEY = "pk_live_..."
H   = {"X-API-Key": KEY}

# Raw-request mode (Elite) — paste Burp request
r = requests.post(f"{API}/scan", headers=H, json={
    "raw_request": open("req.txt").read(),
    "raw_use_https": True,
    "raw_use_tool": True,
    "raw_use_curated": True,
})
job = r.json()["job_id"]

# Poll until done
while True:
    j = requests.get(f"{API}/jobs/{job}", headers=H).json()
    if j["state"] == "done": break
    time.sleep(2)

for f in j["findings"]:
    print(f["severity"], f["poc_url"])
Get API access (Pro) Read the docs →

Pricing

Three progressive tiers. Starter covers the classic XSS surface (reflected, DOM, stored) with form auto-discovery and JS param mining. Pro adds blind XSS, header / path / CSP / DOM clobbering / postMessage modes, open redirect detection, 50+ WAF bypass techniques with vendor-specific Cloudflare / Akamai / AWS / Imperva / Azure payloads, and the full REST API. Elite unlocks raw-request mode, file-upload XSS, JSON API, GraphQL, WebSocket, prototype pollution, XML/SOAP, mXSS sanitizer bypass, Discord alerts, and unlimited daily scans — the deepest XSS coverage available anywhere.

Starter

per month (billed once, no auto-renew)
$19
$19 / month
Get going
  • Reflected, DOM, and Stored XSS scanning
  • Form auto-discovery — crawl forms, fuzz every input
  • SPA browser fallback — detects client-side XSS missed by httpx-only scanners
  • JS file param mining — extracts hidden API params from bundled JS
  • 50+ payload mutation strategies (case shuffle, entity encoding, JS escape, fullwidth chars)
  • PoC URLs and clickable PoC HTML for every finding
  • 50 scans / day · up to 10 extra parameters per scan
  • Privacy: results auto-purged after 1 hour

Pro

per 3 months (billed once)
$49
$16.33 / month — save 14%
Most popular
  • Everything in Starter — plus:
  • Blind XSS hunter with per-plant attribution (label every payload)
  • Full victim capture on hit — screenshot, DOM, cookies, localStorage, IP, UA
  • Email alerts for blind hits (to any address you choose)
  • Header XSS — cookie values, CRLF injection, X-Forwarded-For, Referer
  • Path / Fragment XSS — path segment injection, REST API {id} params, SPA hash router
  • CSP audit + active bypass — JSONP gadgets, angular.js CDN, data: URI
  • DOM Clobbering, postMessage (origin validation bypass), open redirect → XSS
  • localStorage / sessionStorage / history.state DOM sources
  • WAF fingerprinting + 50+ bypass techniques — vendor-specific Cloudflare, Akamai, AWS WAF, Imperva, Azure payloads
  • Rate-limit evasion — automatic 429 backoff so your IP stays clean
  • REST API access (X-API-Key) — automate from your own tooling
  • 200 scans / day · up to 50 extra parameters per scan

Elite

per 6 months (billed once)
$79
$13.17 / month — save 31%
Everything unlocked
  • Everything in Pro — plus:
  • Raw-request mode (Burp paste-and-go) — scan exact requests in place
  • File Upload XSS — SVG, HTML, polyglot payloads with content-type bypass
  • JSON API body fuzzing — fuzz application/json endpoints other scanners ignore
  • GraphQL XSS — schema introspection + variable injection
  • WebSocket XSS — inject into live WebSocket frames
  • Prototype Pollution → XSS — __proto__ / constructor gadget chain detection
  • XML / SOAP body fuzzing — enterprise API coverage
  • mXSS sanitizer bypass — DOMPurify, sanitize-html, js-xss version-specific attacks
  • Discord webhook alerts — multi-channel notifications, toggleable
  • Unlimited daily scans · unlimited extra parameters
  • Priority hardening — first-look access to new bypass techniques
i
How redemption works. After you complete payment we email you a license key. Sign in and paste the key on your account page — your tier unlocks immediately. No subscriptions to cancel, no card stored on our side. When the paid window ends your account drops back to the free demo automatically; no data is deleted.
FAQ

Frequently asked questions

Quick answers on scope, scanning, billing, and how POKEXSS compares to other tools. Don’t see your question? Reach out from our support page.

What is POKEXSS?

POKEXSS is a modern cross-site scripting (XSS) scanner built for bug bounty hunters and red teams. It scans for reflected, DOM, stored, and blind XSS across URLs, forms, headers, path/fragment, CSP, DOM clobbering, postMessage, and raw HTTP requests pasted from Burp Suite. Findings include PoC URLs and clickable PoC HTML.

How is POKEXSS different from Burp Suite Pro?

Burp Pro is a general-purpose web proxy with an XSS-finding feature. POKEXSS is XSS-only and goes deeper: per-plant attribution for blind XSS, full victim capture (screenshot + DOM + cookies + localStorage), a 34,000+ payload arsenal with Burp-Intruder-style HTTP prefilter, vendor-specific WAF bypass for Cloudflare/Akamai/AWS/Imperva/Azure, 16 attack surfaces (GraphQL, WebSocket, prototype pollution, mXSS…), and a browser extension that passively scans every page you browse. POKEXSS also has a managed blind-XSS callback service so you don’t need to host one yourself.

Does POKEXSS detect blind XSS?

Yes. Blind XSS is a first-class mode on the Pro and Elite tiers. Each user gets a stable per-account stinger URL plus a pixel fallback for pure-HTML contexts. Every payload can be labeled with a plant tag before you plant it, so when a hit fires weeks later in an admin tool you’ll never see, the alert tells you exactly where it came from. Captures include IP, user-agent, full DOM, cookies, localStorage, and a JPEG screenshot.

Can I scan websites I don’t own?

Only with explicit, written permission from the owner — through a bug bounty program in scope, a signed pentesting contract, or your own infrastructure. Unauthorized scanning is illegal in most jurisdictions and violates the POKEXSS terms of service.

What WAFs does POKEXSS bypass?

POKEXSS fingerprints 20+ WAFs including Cloudflare, AWS WAF, Akamai, Imperva, Sucuri, F5, ModSecurity, and Wordfence. When a WAF is detected the scanner routes payloads through bypass-aware mutators — tag-case shuffling, attribute breakouts, JS-context escapes, null bytes, CR/LF/FF whitespace tricks, entity smuggling, double-nested tags, slash-separated attributes, gzip body encoding, HTTP verb tampering, path confusion, parameter fragmentation, fullwidth Unicode, base64 atob(), constructor chains — 50+ techniques in total, with vendor-specific payloads targeting known regex weaknesses in Cloudflare, Akamai, AWS WAF, Imperva, and Azure.

How does raw-request mode work?

Paste the exact HTTP request from Burp Repeater into the scanner, replace the value you want to fuzz with the {INJECT} marker, and POKEXSS replays the request with payloads — headers, cookies, JSON body, multipart, CSRF tokens, everything preserved. No re-encoding, no field guessing. Raw-request mode is an Elite-tier feature and no other XSS-as-a-service scanner offers it.

Can I use POKEXSS in my CI/CD pipeline?

Yes. Pro and Elite tiers include a full REST API with X-API-Key authentication. Every scan mode is automatable: submit a POST to /api/scan, poll the job ID, retrieve findings as JSON. Wire it into GitHub Actions, GitLab CI, your recon pipeline, or your own hunting tooling. See the API sample above.

Is my scan data private?

Yes. Scan results live in server memory only and auto-purge after one hour. Blind hits cap at 200 per account and screenshots evict after 30 days. Bulk-delete the lot in one click. POKEXSS is self-hostable for full control. Your PoCs are not training data for somebody else’s LLM.

Is there a free tier?

Yes. The free demo gives you reflected-XSS scanning, 3 scans per day, and up to 2 parameters per scan. No credit card required. Upgrade to Starter, Pro, or Elite to unlock the rest.

Do you offer refunds?

Yes — within 7 days of redemption, no questions asked, as long as you haven’t used more than 10% of your tier’s scan quota. Reach out through our support page from the address tied to your account. No subscriptions to cancel; we don’t store your card on our side.

Start free → See pricing