Features

What is XSSeeker?

XSSeeker (Cross-Site Scripting Seeker) is a subscription-based and moderated service for locating Cross-Site Scripting (XSS) vulnerabilities in any application that renders HTML. XSSeeker offers several account types that meet the needs of novices, professional bug bounty hunters, and commercial red/blue teams.

How does XSSeeker work?

XSSeeker is most often used to find blind cross-site scripting (XSS) vulnerabilities. XSSeeker works by hosting a JavaScript probe that executes when loaded in a vulnerable HTML's page DOM.

How do I get an XSSeeker account?

XSSeeker uses a moderated sign up process with each account request validated by referral from a known person in the bug bounty community (Synack, HackerOne, Bugcrowd) or an existing XSSeeker user. In other words, everyone is vouched for.

Prior to account approval you will receive an email outlining the terms of service and instructions for payment. Obviously all of this slows down the account creation process, but this reduces abuse by anonymous users.

What is an XSSeeker subdomain?

An XSSeeker subdomain is used in injection payloads. The XSSeeker service uses a two letter TLD and a two letter second level domain (e.g. BB.AA). A subdomain (e.g. CC.BB.AA) of the two letter second level domain is assigned to an XSSeeker user during the account moderation process. Pro Plus and Enterprise accounts can choose custom and vanity subdomains. Pro accounts are assigned a random subdomain.

What is the XSSeeker approach to privacy?

By their very nature blind XSS vulnerabilites can reveal sensitive information about users, internal applications, and systems. XSSeeker needs to gather enough information for our users to be able to give actionable advice to impacted system owners. We believe each XSSeeker user is in the best position to determine how to configure their probes and subdomains.

With these competing interests in mind, the following measures are implemented:

* The vulnerable page DOM, screenshot, and collected pages are automatically purged from AWS S3 storage after a user controllable period. They can always be deleted immediately upon request. Injection metadata records (e.g. URL, cookies, etc.) are retained for 90 days or until the user deletes the record.

* PGP encryption can be used to encrypt the DOM, screenshot, collected pages, and metadata within the browser while the probe is running. The encrypted data is saved to the XSSeeker service and AWS S3 for easy access. Team collaboration (Pro Plus and Enterprise accounts) can be used to encrypt probe data with multiple keys so each user has their own unique PGP key.

* Each XSSeeker subdomain can be uniquely configured to require encryption as well as collect the DOM, screenshot, and additional pages allowing for a user to have multiple privacy configurations based on customer requirements.

* An XSSeeker subdomain can be configured to temporarily or permanently drop all probe requests or a subset of probe requests. This is useful when a payload can't readily be cleaned up and prevents the collection of additional data.

What is XSSeeker's approach to user privacy?

Please read our privacy policy.