Our Features

Features

Find more features and details on our announcement blog post.

Chrome Mode

Quickly spawn a sandboxed Google Chrome session to find XSS as you browse. This mode will automatically submit the current page URL and HTML forms back to Wingman for scanning purposes.

Built-in Crawler

Sit back and let Wingman scan a list of URLs using a lightweight and fast crawler, built from the ground up.

Thorough Scans

Leave no stone unturned by scanning every possible injection point, including the URL Query, Path, and HTTP Request Body. Optionally you can configure Wingman to exclude any of these.

Generated Proof-Of-Concepts

Every discovered vulnerability should require some form of proof. Wingman automatically generates a Proof-Of-Concept that you can open in your browser to demonstrate the issue. Also available in JSON format.

Proxy Support

Combine Wingman with popular Man-In-The-Middle software such as Burp Suite, OWASP ZAP, and more.

Dynamic DOM Scanner

Wingman uses advanced taint-sink tracking techniques to discover DOM XSSes. Even in highly obfuscated code.

What Our Customers Say

Here you can find a list of all the people satisfied with our product. Want to appear here as well? Tweet about us!

"Ofjaaah"

Bug Bounty Hunter, Twitch Streamer

I started using a tool called @xsswingman I'm very happy, I found 5 bountys! I recommend! simple and does what it promises.

"Ice3man"

Bug Bounty Hunter

Wingman supports smart context-based XSS detection without running a bruteforce with a thousand payloads. DOM-XSS detection is something not many tools are capable of handling, wingman does it nicely. Try it out!

"Quikke"

Bug Bounty Hunter

The usage of Wingman really helped me in exploiting XSS. The developers really thought about everything, from detection to exploitation without the manual testing process. It's an amazing tool which should be a standard in the infosec community.

"003random"

Bug Bounty Hunter

Wingman is a really well thought out and smart tool with an unique approach. I've made sure over time that every XSS I've found would also be detected by wingman. Let wingman find the XSS'es while you focus on the bigger picture.