Cross Site "Scripter" (XSSer) is an automatic framework designed to detect, exploit, and report XSS vulnerabilities in web-based applications. It is included in Kali Linux.
XSSer can detect persistent, reflected, and DOM-based XSS, scan an indicated URL or search Google for potential targets based on a given query, authenticate through different mechanisms, and perform many other tasks.
Let's try a simple scan using BodgeIt's search request as a target. To do that, issue the following command in Kali Linux's Terminal:
xsser -u http://10.7.7.5/bodgeit/search.jsp -g ?q=
Here, XSSer is running over the URL indicated by the -u parameter and scanning using the GET method and the q (-g ?q=) parameter. This means that the scanner will append its payloads to the string specified after -g, and the result of that will be appended to the URL, as it is using GET. After running the command, you'll see the result indicating that the URL tested is vulnerable to XSS:
There is also the option of using a GUI using the following command:
xsser -gtk
Here is how the GUI looks:
