X9 is a powerful automated Cross-Site Scripting (XSS) discovery suite that streamlines the entire process of uncovering XSS vulnerabilities. It uses a modular pipeline consisting of:
- URL Discovery – Harvests URLs using Wayback Machine and GAU
- Parameter Analysis – Extracts and analyzes query parameters
- XSS Fuzzing – Runs intelligent fuzzing using crafted payloads
- 🔍 Comprehensive URL discovery via multiple sources
- 🧐 Smart parameter extraction and analysis
- 🎯 Intelligent and customizable XSS payload fuzzing
- 📊 Supports structured output (JSON, text)
- ⚡ Parallel and batch processing for faster scanning
# Install required Python dependencies
pip3 install -r requirements.txt
# Install URO
git clone https://github.com/s0md3v/uro && cd uro && sudo python3 setup.py install
# Install Waybackurls
go install github.com/tomnomnom/waybackurls@latest
# Install GAU
go install github.com/lc/gau/v2/cmd/gau@latest
# Install KATANA
go install github.com/projectdiscovery/katana/cmd/katana@latestMake scripts executable:
chmod +x x9.py x9_run.py x9_fuzz.py x9_passive.pyCreate a .env file with the following variables:
DISCORD_WEBHOOK_URL="" # Discord webhook for notifications
NUCLEI_ROUTE="" # Path to your Nuclei templates (e.g., xss-discovery.yaml)
SCRIPT_ROUTE="" # Path to custom script: x9.py
X9_PASSIVE="" # Path to passive script: x9_passive.pypython3 x9_fuzz.py example.com <true/false>trueenables Katana for discovery (not recommended for general use)falsesticks to GAU and Wayback
This step will:
- Gather URLs from multiple sources
- Deduplicate them
- Extract and identify parameters
python3 x9.py -l discovered_urls.txt -v 'xss_payload' -p file,text -gs generate_strategy -vs value_strategy -o json -m get,postOptions:
-lFile containing URLs to test-vXSS payload to inject-pParameter sources (file,text, or both)-gsGeneration strategy (e.g., reflect-based, param combo)-vsValue strategy (e.g., random, static, mirrored)-oOutput format (json,text)-mHTTP methods to test (get,post)
python3 x9_run.py <true/false>This step will:
- Process the collected URLs in batches
- Apply advanced payload fuzzing
- Test multiple parameter/value combinations
✅ Recommended: Use
falsefor fallparams option unless explicitly needed.
# Step 1: Discover URLs
python3 x9_fuzz.py target.com false
# Step 2: Initial XSS Scan
python3 x9_run.py falseSupported formats:
JSON– Machine-readable, useful for integrationsText– Human-readable, ideal for quick reviews
Use the -o flag to select the format:
-o json,textAdd the following to your .bashrc or .zshrc:
alias x9_fuzz="python3 $HOME/Projects/automation/x9/x9_fuzz.py"
alias x9_run="python3 $HOME/Projects/automation/x9/x9_run.py"
alias x9="python3 $HOME/Projects/automation/x9/x9.py"
alias x9_passive="python3 $HOME/Projects/automation/x9/x9_passive.py"Contributions are welcome! Please submit a pull request or open an issue to suggest features or report bugs.
This project is licensed under the MIT License. See the LICENSE file for details.
This tool is intended for educational and authorized security testing only. Unauthorized use of this tool against targets without permission is illegal.