POKEXSS is a modern cross-site scripting scanner built for bug hunters and red teams. Reflected, DOM, Stored, Blind — plus GraphQL, WebSocket, JSON API, prototype pollution, open redirect, and 16 other attack surfaces. Raw-request mode, per-plant attribution, vendor-specific WAF bypass, and a 34,000+ payload arsenal that knows the modern web.
A scripted walkthrough of the URL scanner — JS param mining, SPA browser fallback, Cloudflare vendor-specific bypass, HIGH-severity finding captured. The real thing looks identical.
Every paid XSS scanner does reflected and DOM. Here’s what we do that nobody else does — and why the answer keeps coming back “POKEXSS” on r/bugbounty.
No other XSS-as-a-service scanner accepts a raw HTTP request. Paste straight from Burp Repeater,
drop {INJECT} where you want the payload, and we replay
the exact request — headers, cookies, JSON body, multipart, CSRF tokens, everything.
No re-encoding, no field guessing, no “please fill out our form.”
Label every payload before you plant it — “acme.com — feedback form,” “internal ticket #4521.” When the hit fires three weeks later in an admin tool you’ll never see, the alert tells you exactly where it came from. Every other blind XSS service just gives you an IP and a shrug.
JPEG screenshot of what the victim saw, the complete DOM, cookies, localStorage, IP, user-agent — in one card. Survives strict-CSP pages by falling back to a JSON beacon. The competition ships you a one-line callback URL and calls it a feature.
Arm a domain and the extension auto-scans every page you navigate to — parameters, forms, headers, blind stingers — without you clicking anything. Browse the target normally; POKEXSS finds the XSS in the background. No other XSS tool does this.
GraphQL variables, WebSocket frames, JSON API bodies, XML/SOAP, prototype pollution gadgets, mXSS sanitizer bypass, file uploads, postMessage origin bypass, cookie values, CRLF injection, open redirect chains, path segments — all tested in the same scan. No other XSS scanner covers more than a third of this list.
Two independent channels with separate on/off toggles. Get the email for the receipt, get the Discord ping for the “holy crap it fired” moment with your team in #findings. Test the webhook from the dashboard before you ever plant a payload.
Scan results live in memory and auto-purge after an hour. Blind captures cap at 200 per account and screenshots evict after 30 days. Bulk-delete the lot in one click. Your POCs aren’t training data for somebody else’s LLM.
SVG, HTML, and polyglot payloads — with content-type sniffing so the payload survives MIME validation. Most scanners can’t test file fields at all; we treat them as a first-class injection point.
Honest feature matrix — what each tool actually ships, based on publicly documented features as of May 2026. Spot something wrong? Let us know and we’ll fix it.
| FEATURE | POKEXSS | Knoxss | XSS Hunter Pro | xss0r | Dalfox | Nuclei | XSStrike | Burp Pro |
|---|---|---|---|---|---|---|---|---|
| Reflected XSS | ✓ | ✓ | — | partial | ✓ | ✓ | ✓ | ✓ |
| DOM XSS (headless + sink hooks) | ✓ | ✓ | — | — | partial | partial | ✓ | ✓ |
| Stored XSS (form discovery + render) | ✓ | partial | — | — | — | — | — | partial |
|
Blind XSS with per-plant attribution Label each payload before planting; alert tells you where it fired
|
✓ | partial | partial | partial | — | — | — | — |
|
Full victim capture on blind hit Screenshot + DOM + cookies + localStorage + IP + UA + WebRTC + IndexedDB
|
✓ | partial | ✓ | ✓ | — | — | — | — |
|
Raw HTTP request (Burp paste-and-go) Replay exact request shape; only mutate the marked field
|
✓ | — | — | — | — | partial | — | ✓ |
|
WAF bypass — vendor-specific payloads Cloudflare, Akamai, AWS WAF, Imperva, Azure — 50+ techniques
|
✓ | ✓ | — | partial | partial | partial | partial | ✓ |
|
JS file param mining Extracts hidden API params from bundled JS files automatically
|
✓ | — | — | — | partial | — | — | — |
|
GraphQL / WebSocket / JSON API XSS Elite tier — attack surfaces other scanners skip entirely
|
✓ | — | — | — | — | partial | — | partial |
| File-upload XSS (SVG, HTML, polyglot) | ✓ | — | — | — | — | partial | — | partial |
| CSP active bypass + DOM clobbering + postMessage | ✓ | — | — | — | — | — | — | partial |
| Open redirect → XSS detection | ✓ | — | — | — | partial | partial | — | partial |
|
Discord / Telegram alerts POKEXSS: Discord + email · xss0r: Telegram · XSS Hunter Pro: email
|
✓ | — | partial | partial | — | — | — | — |
| REST API (X-API-Key) | ✓ | ✓ | — | — | partial | ✓ | partial | ✓ |
| Self-hosted option | ✓ | — | ✓ | — | ✓ | ✓ | ✓ | ✓ |
| Scan results auto-purge (privacy) | ✓ | — | ✓ | partial | ✓ | ✓ | ✓ | ✓ |
Not a CVE feed dressed up as a scanner — POKEXSS focuses on one bug class and goes deeper than anything else, end-to-end from injection to capture.
Per-parameter probing across 20 injection contexts (HTML body, attributes, JS strings, CSS, URL attrs). SPA browser fallback catches client-side reflection that raw HTTP scanners miss. 50+ mutation strategies, adaptive filter fingerprinting, 34,000+ payload corpus.
Headless Chromium with hooked sinks (innerHTML, eval, document.write, setTimeout, Function) traces taint from every source — URL hash, query params, localStorage, sessionStorage, history.state, window.name, document.referrer. Proves execution, not just reflection.
Discovers forms on the page (including JS-rendered ones), submits unique markers, crawls same-origin pages to detect persistence, then re-visits in a real browser to confirm execution. Catches the bugs that fire in admin panels days later.
Stored injections that fire weeks later in admin tools you’ll never see. Label every payload before you plant it. When the hit fires, the alert tells you exactly where it came from. Ships with 13+ stinger payload shapes including srcdoc, import(), CSS beacon, and cookie exfil.
When a blind payload fires: JPEG screenshot, complete DOM, cookies, localStorage, sessionStorage, IP, user-agent, referrer — in one card. Survives strict-CSP pages via JSON beacon fallback. The competition ships you a callback URL and calls it a feature.
Paste a full HTTP request from Burp Repeater, mark the injection point with {INJECT}, and we replay the exact shape — headers, cookies, JSON body, multipart, CSRF tokens, everything. Auth-expiry safeguard aborts on 401 so you don’t waste payloads on a dead session.
Fingerprints 20+ WAFs (Cloudflare, Akamai, AWS WAF, Imperva, Azure, F5, ModSecurity…), then fires 50+ bypass techniques — vendor-specific payload shapes, gzip body encoding, HTTP verb tampering, path confusion, parameter fragmentation, fullwidth Unicode, base64 atob(), constructor chains. Rate-limit evasion keeps your IP clean on 429.
Tests Referer, User-Agent, X-Forwarded-For, cookie values, and CRLF injection in headers. Also injects into URL path segments (REST API numeric IDs and UUIDs), open redirect params (?next=, ?redirect=), and URL fragments for SPA hash routers.
Enumerates window.addEventListener('message') listeners and probes with 6 payload shapes (string, JSON object, template). Tests origin validation bypass via synthetic MessageEvent. DOM clobbering submits id/name-clobbering HTML and verifies window[marker] resolves to an HTMLElement.
Analyzes Content-Security-Policy for unsafe-inline, unsafe-eval, dangerous sources, missing base-uri, and object-src. Then actively probes whitelisted script-src hosts for JSONP gadgets, angular.js CDN bypass, and data: URI abuse — turning weak CSP into a confirmed XSS.
Auto-detects GraphQL endpoints, introspects the schema, and fuzzes every String-typed variable. Intercepts live WebSocket frames and injects into JSON message keys. Fuzzes application/json request bodies key-by-key. Tests XML/SOAP endpoints with text node injection. Attack surfaces every other XSS scanner skips.
Probes ?__proto__[key]=payload and ?constructor[prototype][key]=payload for Object.prototype poisoning, then tries known gadget chains (jQuery, Angular, Handlebars). Fingerprints DOMPurify, sanitize-html, and js-xss versions and fires version-specific mXSS bypass payloads.
Automatically fetches same-origin JS bundles and extracts hidden API param names from fetch calls, URLSearchParams, axios, jQuery Ajax, and template literals. Discovered params are added to the scan instantly — no separate tool needed. Path segment injection tests REST API /users/123 IDs too.
Crawls the page for forms including JS-rendered ones (SPA hydration), extracts every input, refreshes CSRF tokens before firing, and submits each field with payloads via the correct method and encoding. Prevents the 403s that kill most form scanners on CSRF-protected apps.
Every scan mode is automatable via X-API-Key. Wire POKEXSS into GitHub Actions, your recon pipeline, or custom hunting tooling — same engine, no UI required. Available on Pro and Elite tiers.
Scan results live in memory only and auto-expire after one hour. Blind hits cap at 200 per account, screenshots evict after 30 days. Hit “forget” and the data’s gone — bulk-delete or one-shot. Your POCs are yours, not training data.
Every scan mode is automatable via X-API-Key.
Drop POKEXSS into your recon chain, CI pipeline, or custom tooling — same engine, no UI required.
Available on Pro and Elite tiers.
Three progressive tiers. Starter covers the classic XSS surface (reflected, DOM, stored) with form auto-discovery and JS param mining. Pro adds blind XSS, header / path / CSP / DOM clobbering / postMessage modes, open redirect detection, 50+ WAF bypass techniques with vendor-specific Cloudflare / Akamai / AWS / Imperva / Azure payloads, and the full REST API. Elite unlocks raw-request mode, file-upload XSS, JSON API, GraphQL, WebSocket, prototype pollution, XML/SOAP, mXSS sanitizer bypass, Discord alerts, and unlimited daily scans — the deepest XSS coverage available anywhere.
Quick answers on scope, scanning, billing, and how POKEXSS compares to other tools. Don’t see your question? Reach out from our support page.
POKEXSS is a modern cross-site scripting (XSS) scanner built for bug bounty hunters and red teams. It scans for reflected, DOM, stored, and blind XSS across URLs, forms, headers, path/fragment, CSP, DOM clobbering, postMessage, and raw HTTP requests pasted from Burp Suite. Findings include PoC URLs and clickable PoC HTML.
Burp Pro is a general-purpose web proxy with an XSS-finding feature. POKEXSS is XSS-only and goes deeper: per-plant attribution for blind XSS, full victim capture (screenshot + DOM + cookies + localStorage), a 34,000+ payload arsenal with Burp-Intruder-style HTTP prefilter, vendor-specific WAF bypass for Cloudflare/Akamai/AWS/Imperva/Azure, 16 attack surfaces (GraphQL, WebSocket, prototype pollution, mXSS…), and a browser extension that passively scans every page you browse. POKEXSS also has a managed blind-XSS callback service so you don’t need to host one yourself.
Yes. Blind XSS is a first-class mode on the Pro and Elite tiers. Each user gets a stable per-account stinger URL plus a pixel fallback for pure-HTML contexts. Every payload can be labeled with a plant tag before you plant it, so when a hit fires weeks later in an admin tool you’ll never see, the alert tells you exactly where it came from. Captures include IP, user-agent, full DOM, cookies, localStorage, and a JPEG screenshot.
Only with explicit, written permission from the owner — through a bug bounty program in scope, a signed pentesting contract, or your own infrastructure. Unauthorized scanning is illegal in most jurisdictions and violates the POKEXSS terms of service.
POKEXSS fingerprints 20+ WAFs including Cloudflare, AWS WAF, Akamai, Imperva, Sucuri, F5, ModSecurity, and Wordfence. When a WAF is detected the scanner routes payloads through bypass-aware mutators — tag-case shuffling, attribute breakouts, JS-context escapes, null bytes, CR/LF/FF whitespace tricks, entity smuggling, double-nested tags, slash-separated attributes, gzip body encoding, HTTP verb tampering, path confusion, parameter fragmentation, fullwidth Unicode, base64 atob(), constructor chains — 50+ techniques in total, with vendor-specific payloads targeting known regex weaknesses in Cloudflare, Akamai, AWS WAF, Imperva, and Azure.
Paste the exact HTTP request from Burp Repeater into the scanner, replace the value you want to fuzz with
the {INJECT} marker, and POKEXSS replays the request with payloads
— headers, cookies, JSON body, multipart, CSRF tokens, everything preserved. No re-encoding, no
field guessing. Raw-request mode is an Elite-tier feature and no other XSS-as-a-service scanner offers it.
Yes. Pro and Elite tiers include a full REST API with X-API-Key
authentication. Every scan mode is automatable: submit a POST to /api/scan, poll the job ID,
retrieve findings as JSON. Wire it into GitHub Actions, GitLab CI, your recon pipeline, or your own
hunting tooling. See the API sample above.
Yes. Scan results live in server memory only and auto-purge after one hour. Blind hits cap at 200 per account and screenshots evict after 30 days. Bulk-delete the lot in one click. POKEXSS is self-hostable for full control. Your PoCs are not training data for somebody else’s LLM.
Yes. The free demo gives you reflected-XSS scanning, 3 scans per day, and up to 2 parameters per scan. No credit card required. Upgrade to Starter, Pro, or Elite to unlock the rest.
Yes — within 7 days of redemption, no questions asked, as long as you haven’t used more than 10% of your tier’s scan quota. Reach out through our support page from the address tied to your account. No subscriptions to cancel; we don’t store your card on our side.