- BurpSuite is one of the best tool there is also a free course lab to learn
sqlmap – Automatic SQL injection and database takeover tool - NoSQLMap – Automated NoSQL database enumeration and web application exploitation tool.
- SQLiScanner – Automatic SQL injection with Charles and sqlmap api
- SleuthQL – Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
- mssqlproxy – mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse
- sqli-hunter – SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.
- waybackSqliScanner – Gather urls from wayback machine then test each GET parameter for sql injection.
- ESC – Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features.
- mssqli-duet – SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing
- burp-to-sqlmap – Performing SQLInjection test on Burp Suite Bulk Requests using SQLMap
- BurpSQLTruncSanner – Messy BurpSuite plugin for SQL Truncation vulnerabilities.
- XSStrike – Most advanced XSS scanner.
- xssor2 – XSS’OR – Hack with JavaScript.
- xsscrapy – XSS spider – 66/66 wavsep XSS detected
- sleepy-puppy – Sleepy Puppy XSS Payload Management Framework
- ezXSS – ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
- xsshunter – The XSS Hunter service – a portable version of XSSHunter.com
- dalfox – DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang
- xsser – Cross Site “Scripter” (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
- XSpear – Powerfull XSS Scanning and Parameter analysis tool&gem
- weaponised-XSS-payloads – XSS payloads designed to turn alert(1) into P1
- tracy – A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
- ground-control – A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
- xssValidator – This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
- JSShell – An interactive multi-user web JS shell
- bXSS – bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
- docem – Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
- XSS-Radar – XSS Radar is a tool that detects parameters and fuzzes them for cross-site scripting vulnerabilities.
- BruteXSS – BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application.
- findom-xss – A fast DOM based XSS vulnerability scanner with simplicity.
- domdig – DOM XSS scanner for Single Page Applications
- femida – Automated blind-xss search for Burp Suite
- B-XSSRF – Toolkit to detect and keep track on Blind XSS, XXE & SSRF
- domxssscanner – DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities
- xsshunter_client – Correlated injection proxy tool for XSS Hunter
- extended-xss-search – A better version of my xssfinder tool – scans for different types of xss on a list of urls.
- xssmap – XSSMap 是一款基于 Python3 开发用于检测 XSS 漏洞的工具
- XSSCon – XSSCon: Simple XSS Scanner tool
- BitBlinder – BurpSuite extension to inject custom cross-site scripting payloads on every form/request submitted to detect blind XSS vulnerabilities
- XSSOauthPersistence – Maintaining account persistence via XSS and Oauth
- shadow-workers – Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)
- rexsser – This is a burp plugin that extracts keywords from response using regexes and test for reflected XSS on the target scope.
- xss-flare – XSS hunter on cloudflare serverless workers.
- Xss-Sql-Fuzz – burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
- vaya-ciego-nen – Detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities.
- dom-based-xss-finder – Chrome extension that finds DOM based XSS vulnerabilities
- XSSTerminal – Develop your own XSS Payload using interactive typing
- xss2png – PNG IDAT chunks XSS payload generator
- XSSwagger – A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks
