After a lot of time and hard work, it’s finally ready. We’re excited to announce our new product: Wingman.

Wingman is a new kind of XSS scanner. We managed to eliminate many false-positive and false-negative issues by designing our methodology from the ground up. Ideal for infosec professionals, bug bounty hunters, and hobbyists.

How we stand out


Wingman has context-awareness. That means that Wingman can evaluate many different scenarios and act accordingly. Take the following PHP snippet:

function sanitize($s) {
    // remove <, ' and "
    return str_replace("<", "", str_replace("'", "", str_replace("\"", "", $s)));

<iframe srcdoc='<script>x="<?php echo sanitize($_GET["x"]); ?>"</script>'></iframe>

The essence of the code is this:

  1. Remove <, ' and " from an HTTP GET parameter called “x”.
  2. Reflect the result of the previous step into a script tag within an iframe srcdoc attribute.

The tricky part here is that traditional payloads will not be able to function in this situation. Payloads such as </script><script>alert(1)</script> will not work here, or any alternatives you can pull from lists on GitHub, for that matter.

That is where Wingman stands out:

karelk:standalone karel$ ./wingman -u http://localhost:8080/?x=1 --allow-internal-hosts
[INFO] Proof-Of-Concepts (PoCs):
        1.      Type:   Query
                URL:    http://localhost:8080/?x=%26%2334%3B-alert%26lpar%3B%26rpar%3B-%26%2334%3B
                Payload: &#34;-alert&lpar;&rpar;-&#34;

You can see that it detected the vulnerability and generated a Proof-Of-Concept for it. All while taking context and character limitations into account.

Dynamic DOM Scanner

A somewhat rare technique we have implemented is taint-sink tracking.

The idea is that you inject a random string into a JavaScript “source” (URL Query, Window name, anything that can be controlled by a 3rd party). We then see where it ends up, hopefully, a sink, and track it back to the source.

All of this combined with context-awareness and live-scanning allows Wingman to automatically generate Proof-Of-Concepts on the fly:

karelk:standalone karel$ ./wingman -u
[INFO] Proof-Of-Concepts (PoCs):
        1.      Type:   Dom
                URL:    data:text/html,<!-- XSS discovered and PoC generated by Wingman ( --><script>"alert()";location.href="http:\/\/\/dom\/toxicdom\/window\/name\/eval"</script>
                Payload: alert()

Live Scanning

Another feature is the ability to launch a Google Chrome session and scan while browsing. URLs and HTML Forms are automatically submitted back to Wingman for scanning purposes.

This mode will also log JavaScript sinks calls to the terminal

Sink logging could have aided in finding the famous Google Search DOM XSS

What to expect

Something we pride ourselves in is our constant desire to do better. We aim to cover as many edge cases as possible while remaining reliable.

Things we already have on our product roadmap at the time of writing:

  • Burp Extension
  • Extended functionality for aided (live) scanning
  • Support for additional JavaScript sinks

Scan types

Wingman supports multiple scanning options out-of-the-box. Any scan can be explicitly excluded if needed. Below you can find an overview of every type we have at the moment.


Scan every URL parameter.

x and y will be scanned

URL will be ignored


Scan the URL path on every level

Trailing directory will be scanned

/x/ and trailing directory will be scanned


Scan every HTTP POST body with a application/x-www-form-urlencoded Content-Type (HTML forms).

POST /reflected/parameter/form HTTP/1.1
Content-Length: 56
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: close


q will be scanned


Perform dynamic analysis on all executed JavaScript on the targeted endpoint.

Supported platforms

Operating System64-bit32-bit

Getting started

Sign up for free and get started within a couple minutes. Find the installation guide here or on your dashboard.