LSE toolsLSE toolsXSSER (405)XSSER (405)

Tool and Usage

Project details

Year of inception
CC BY-SA 3.0
Programming language
Hans-Michael Varbaek
Latest release
Latest release date

Project health

This score is calculated by different factors, like project age, last release date, etc.

Why this tool?

XXSER helps to get from XSS to Remote Code Execution (RCE). It provides custom tools and payloads integrated with Metasploit's Meterpreter. The goal is to automate as much as possible.

Usage and audience

XSSER is commonly used for penetration testing, security assessment, or web application analysis. Target users for this tool are pentesters and security professionals.

Tool review and remarks

The review and analysis of this project resulted in the following remarks for this security tool:


  • + The source code of this software is available


  • - Minimal or no documentation available

History and highlights

  • Demo at Black Hat Europe 2015 Arsenal
  • Demo at Black Hat Europe 2016 Arsenal
  • Demo at Black hat Europe 2017 Arsenal

Author and Maintainers

XSSER is under development by Hans-Michael Varbaek.


Supported operating systems

XSSER is known to work on Linux.

XSSER alternatives

Similar tools to XSSER:



XSStrike is tool for penetration testers and developers to test web applications. It scans a web application for any possible cross-site scripting weakness. With its own fuzzing engine, it might find rare issues. XSStrike can also discover the presence of a web application firewall (WAF).


XSS Hunter

XSS Hunter helps with finding XSS attacks and trigger a warning when one is succesful. It exists as an online service, or self-hosted installation.

All XSSER alternatives

This tool page was updated at . Found an improvement? Help the community by submitting an update.

Related tool information


Cross-site scripting (XSS) is the name that refers to a particular weakness in web application security. The weakness is caused by incorrect handling of data input, such as cookie data, URL, or HTTP request parameters. The issue with the weak input sanitization is that some of the data may be returned to the user and perform custom script execution.