About
Cross-Site Scripting (XSS) is one of the most common security vulnerabilities in modern web applications. XSS has evolved since the late '90s. Yet tools, specifically meant to detect this weakness, have not. Wingman is a command-line XSS scanner and aims to be more accurate, efficient, and thorough than what you would expect of automated solutions. We are slowly able to perfect the discovery process by focusing on this one problem. Wingman is ideal for bug bounty hunters, pentesters, and infosec professionals.
Showcase
Easy To Use
Here are a few reasons why Wingman is so easy to use.
Great Design
Packed into a small, minimalistic binary for ease of use and portability.
Proof-Of-Concepts
Wingman automatically generates proof-of-concepts, making it simple to forward the issue and get it resolved.
Cross-Platform Availability
Available on Windows, MacOS and Linux.
Benefits We Offer
Wingman was designed with customizability, speed and efficiency in mind. It is the product of a well-researched and thought-out workflow.
Extremely Fast
Wingman can analyze responses and give results in less than a milisecond.
Best Of Both Worlds
Wingman can be fully automatic or an aid in guided fuzzing.
Competitive
Wingman easily rivals popular alternatives with minimal false-positives and support for edge cases.
Constant Updates
Wingman is never finished and we will continue to make it better and add new features with free updates.
Features
Find more features and details on our announcement blog post.
Chrome Mode
Quickly spawn a sandboxed Google Chrome session to find XSS as you browse. This mode will automatically submit the current page URL and HTML forms back to Wingman for scanning purposes.
Built-in Crawler
Sit back and let Wingman scan a list of URLs using a lightweight and fast crawler, built from the ground up.
Thorough Scans
Leave no stone unturned by scanning every possible injection point, including the URL Query, Path, and HTTP Request Body. Optionally you can configure Wingman to exclude any of these.
Generated Proof-Of-Concepts
Every discovered vulnerability should require some form of proof. Wingman automatically generates a Proof-Of-Concept that you can open in your browser to demonstrate the issue. Also available in JSON format.
Proxy Support
Combine Wingman with popular Man-In-The-Middle software such as Burp Suite, OWASP ZAP, and more.
Dynamic DOM Scanner
Wingman uses advanced taint-sink tracking techniques to discover DOM XSSes. Even in highly obfuscated code.
Choose Your Plan
All of this sounds great, but most importantly, it's affordable! Select a plan that suits your needs and claim your free 14-day trial.
Pro
Full access for professionals
$9.95/Month
Includes 21% VAT- Reflected XSS
- (Dynamic) DOM XSS
- Crawler
- Guided scanning
What Our Customers Say
Here you can find a list of all the people satisfied with our product. Want to appear here as well? Tweet about us!
"Ofjaaah"
Bug Bounty Hunter, Twitch Streamer
I started using a tool called @xsswingman I'm very happy, I found 5 bountys! I recommend! simple and does what it promises.
"Ice3man"
Bug Bounty Hunter
Wingman supports smart context-based XSS detection without running a bruteforce with a thousand payloads. DOM-XSS detection is something not many tools are capable of handling, wingman does it nicely. Try it out!
"Quikke"
Bug Bounty Hunter
The usage of Wingman really helped me in exploiting XSS. The developers really thought about everything, from detection to exploitation without the manual testing process. It's an amazing tool which should be a standard in the infosec community.
"003random"
Bug Bounty Hunter
Wingman is a really well thought out and smart tool with an unique approach. I've made sure over time that every XSS I've found would also be detected by wingman. Let wingman find the XSS'es while you focus on the bigger picture.