The XSS Testing Agent is a sophisticated security testing tool that combines AI-powered analysis with automated payload generation to identify Cross-Site Scripting vulnerabilities in web applications.
The application consists of:
- Frontend: React-based web interface for entering URLs and viewing results
- Backend: Hono-based API server that orchestrates testing
- AI Integration: Novita AI (GPT-OSS-20B) for intelligent analysis
- Payload Service: MCP service for dynamic XSS payload generation
You need to set up the following environment variables:
- Sign up at Novita AI
- Get your API key from the dashboard
- Set the environment variable:
NOVITA_API_KEY=your_novita_api_key_here
- Get access to the MCP service at
trooper-mcp-production.up.railway.app - Obtain your API key from the service provider
- Set the environment variable:
MCP_API_KEY=your_mcp_api_key_here
- Go to your Val Town dashboard
- Navigate to Settings → Environment Variables
- Add the following variables:
NOVITA_API_KEY: Your Novita AI API keyMCP_API_KEY: Your MCP service API key
- Uses AI to analyze target websites and generate testing strategies
- Supports reflected, stored, and DOM-based XSS detection
- Real-time vulnerability assessment with confidence scoring
- Integrates with MCP service for up-to-date XSS payloads
- Context-aware payload selection based on target analysis
- Fallback to built-in payloads if MCP service is unavailable
- Detailed vulnerability reports with severity classification
- AI-powered security analysis and recommendations
- Evidence collection and proof-of-concept demonstrations
- Rate limiting to prevent abuse
- Ethical testing guidelines and warnings
- Comprehensive logging for audit trails
- Open the XSS Testing Agent web interface
- Enter the target URL (must include http:// or https://)
- Select test depth:
- Basic: Tests with 20 common payloads
- Comprehensive: Tests with 50+ advanced payloads
- Click "Start XSS Test"
- Payloads Tested: Number of XSS payloads executed
- Vulnerabilities Found: Total confirmed and potential vulnerabilities
- Test Duration: Time taken to complete the scan
- Severity Breakdown: Distribution of vulnerabilities by risk level
- Detailed information about each discovered vulnerability
- Payload details, injection points, and evidence
- Severity classification (Critical, High, Medium, Low)
- Confirmation status and remediation guidance
- Comprehensive security assessment by AI
- Risk analysis and potential impact evaluation
- Prioritized remediation recommendations
- Security posture evaluation
Performs XSS vulnerability testing on a target URL.
Request Body:
{ "url": "https://example.com", "testDepth": "basic" | "comprehensive", "customPayloads": ["<script>alert('test')</script>"] // optional }
Response:
{ "url": "https://example.com", "timestamp": "2025-11-12T03:14:41.787Z", "payloadsTested": 20, "vulnerabilitiesFound": [...], "aiAnalysis": "Detailed AI analysis...", "recommendations": ["Recommendation 1", "..."], "testDuration": 5432 }
Retrieves available XSS payloads from the MCP service.
Query Parameters:
type: Filter by payload type (reflected, stored, dom, all)severity: Filter by severity (low, medium, high, critical, all)limit: Maximum number of payloads to return
Checks the health status of all integrated services.
- Only test websites you own or have explicit permission to test
- Respect rate limits and avoid overwhelming target servers
- Follow responsible disclosure practices for any vulnerabilities found
- Ensure compliance with local laws and regulations
- Obtain proper authorization before testing third-party websites
- Document testing activities for audit purposes
- Some advanced XSS techniques may not be detected
- False positives are possible and should be manually verified
- Results depend on the quality of AI analysis and payload databases
- Check that API keys are properly set in environment variables
- Verify API key validity and permissions
- Check service status endpoints
- Ensure target URL is accessible and properly formatted
- Check for network connectivity issues
- Verify target website allows automated testing
- Large websites may take longer to analyze
- Network latency affects testing speed
- Consider using basic test depth for faster results
Check the browser console and network tab for detailed error messages. The application includes comprehensive logging for troubleshooting.
You can provide custom XSS payloads in the test request:
{ "url": "https://example.com", "testDepth": "basic", "customPayloads": [ "<img src=x onerror=alert('custom')>", "javascript:alert('custom')" ] }
The application includes built-in rate limiting:
- 100ms delay between payload tests
- Respects server response times
- Automatic backoff on errors
For issues or questions:
- Check the troubleshooting section above
- Review the browser console for error messages
- Verify API key configuration
- Test with a simple, known-vulnerable target first
To extend the XSS Testing Agent:
- Add new payload types in the MCP service integration
- Enhance AI analysis prompts for better insights
- Implement additional testing methodologies
- Improve the user interface and reporting features
Remember: This tool is for authorized security testing only. Always follow ethical hacking principles and legal requirements.