POKEXSS is a modern cross-site scripting scanner built for bug hunters and red teams. Reflected, DOM, and blind — with WAF fingerprinting and a payload arsenal that knows the modern web.
Not a CVE feed dressed up as a scanner — POKEXSS focuses on the single bug class it cares about, and goes deeper there than anything else.
Per-parameter probing with 50+ base payloads and 30+ mutation strategies — tag-case shuffling, attribute breakouts, JS-context escapes, comment smuggling.
Headless Chromium with hooked sinks (innerHTML, document.write, eval, setTimeout, Function) traces taint from source to sink, then proves exploitability.
Out-of-band beacons fire on stored-and-rendered injections in admin panels, support tickets, log viewers — anywhere a payload lands but doesn’t reflect immediately.
Fingerprints 20+ WAFs, then routes payloads through bypass-aware mutators — null bytes, case-folding, CR/LF/FF whitespace tricks, entity smuggling, double-nest tags.
Crawls the page for forms, extracts every input, and submits each one with payloads through the right method (GET/POST) and content type.
Scan results live in memory only and auto-expire after one hour. Hit the “forget” button and they’re gone immediately. Your POCs are yours.
Pick the cadence that matches your workload. All paid plans unlock every scan mode, WAF bypass, form auto-discovery, and the full payload library.