Increasing XSS impact using XSScope

InfoSec Write-ups – Medium–

During Bug Hunting, everyone aims for triggering the “1” alert. However, if you want to escalate your impact of XSS, now you can do this easily by using XSScope.

What is XSScope?

What is XSScope? XSScope is an advanced XSS payload generator platform for Client-Side attacks and also with an aim of increaing the impact of an XSS during Bug Hunting. Using all modules that XSScope offers, advanced XSS can be simply use with 1–2 click(s).

Github page of XSScope:

Demo usage

I have found a website which is vulnerable to XSS and doesn’t filter any kind of malicious JS code.

First, let’s try injection HTML code.

We can see that after clicking “search” button, our payload got reflected into HTML code. Now let’s see if we can inject Javascript code. This time, I will enter a Javascript payload.


Our payload got successfully executed without being filtered and we got our lovely alert trigger.

Go beyond the alert! — with XSScope

Go to and clone the project.

git clone

A GUI software will open, so go to Main -> Add HTML code
A new tab will popup, like in the image below.

Now click on “Choose Pre-generated HTML code” and click on which website you like to generate a Phishing Clone. In this case, I will choose “Amazon Login Form”. The whole code will be added into the text box automatically, so click Apply Code.

Now click on Main -> XSS Payloads and a new window will popup.

There will be 10 payloads ready to be deployed, but I’m copying the first payload since <script>alert(1)</script> worked before.

Paste the payload into the website and the Phishing Website will be displayed.

Now the victim will simply add his credentials into the phishing website.

The credentials will be stored in /XSScope/login_phishing/credentials/

Credentials captured

Other features of XSScope

~~ Spying Features ~~

  • Camera Hijacking
  • Get every Entry form value that victim enters in the website
  • Grab victim’s cookies
  • Keylogger

~~ HTML code injection ~~

  • Generate Phishing Websites with 2 using pregenerated HTML codes such as:
    Amazon, Google, Line, LinkedIn, Steam, Twitch, Verizon, WiFi and so on…
  • Generate Website Deface
  • Import HTML file from external file
  • Add your own HTML code

~~ Funny modules ~~

  • Change every link in the website
  • Change every image in the website
  • Clickjacker (redirect to another URI once user click somewhere on the website)

For any question, please contact me on:
Happy hacking!

Increasing XSS impact using XSScope was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s