Need help with shuriken?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

124 Stars 32 Forks MIT License 43 Commits 0 Opened issues


Cross-Site Scripting (XSS) command line tool for testing lists of XSS payloads on web apps.

Services available


Need anything else?

Contributors list

# 213,188
36 commits
# 5,573
Common ...
2 commits

Shuriken | 手裏剣


python license twitter

Shuriken was developed by Shogun Lab as an open source Cross-Site Scripting (XSS) command line utility to aid web security researchers who want to test a list of XSS payloads in a web application. It allows a tester to easily change payload lists, log results and take screenshots of successful payloads.

It should only be used on valid targets who have consented to pentesting, please ensure you have permission before using this tool against a web application.


Shuriken can be installed by downloading the zip file here or by cloning the Git repository:

git clone

Shuriken works with Python 2.7.x on any platform.


  • Easily specify where in a URL the payload should be injected with the "{xss}" string.
  • Quickly change payload lists.
  • Take screenshots of successful XSS payloads.
  • Save logs of reflected XSS payloads.
  • Use fuzzy detection to log partial XSS reflections.


To get a list of options and switches, enter:

python -h

To test a list of payloads against a target URL, specify where the payloads will go with "{xss}" and enter:

python -u "{xss}" -p "xss-payload-list.txt"

Taking screenshots

If you would like to screenshot and save all reflected XSS payloads, use the -s or --screen flag with a name for the screenshot images and enter:

python -s ExampleTarget -u "{xss}" -p "xss-payload-list.txt"

To wait a specific amount of time in between requests, use the -t flag with the amount of time to wait in seconds and enter:

python -t 1.5 -u "{xss}" -p "xss-payload-list.txt"

Fuzzy XSS payload detection

To enable partial or fuzzy detection of XSS payloads in HTML source code, use the -f or --fuzzy flag with the level of detection you want to log. For example, the following command will only log XSS payload reflections that have a 75% matching score or above in the HTML source code returned:

python -f 75 -u "{xss}" -p "xss-payload-list.txt"

The default matching score supplied is 50% and will be applied when a flag with no number is given (e.g. -f or --fuzzy):

python -f -u "{xss}" -p "xss-payload-list.txt"

Partial detection is applied through the use of SeatGeek's FuzzyWuzzy Python library

method and additional information regarding this library can be found here.

Partial XSS reflections will be logged in a separate text file ending with "_partials.txt".

Misc. usage and performance notes

You must specify a payload and URL, if you don't then you'll get an error. For an example payload to test with, check out this list of common XSS payloads.

You also must have PhantomJS installed and configured in order for the tool to run in its default mode. See the next section for more details on this.

There may be a noticeable slowdown of the tool when it is being used in a virtual machine such as VirtualBox. For best performance, use Shuriken on a native machine. I am currently looking to address this virtual machine slowdown in a future update.

Third party libraries and dependencies

This tool depends on the proper configuration and installation of the following: - Python 2.7.x - Python 2 is needed to run the tool. - Splinter - Python library allowing use of a headless web browser for testing. - PhantomJS - Headless WebKit browser used by Splinter for testing. - Selenium 2.0 - WebDriver required by PhantomJS browser. - FuzzyWuzzy - Partial XSS logging using fuzzy detection methods. - python-Levenshtein - Python extension for computing string edit distances and similarities. Allows faster fuzzy detection from the FuzzyWuzzy library.

Python dependencies can be installed using pip:

pip install -r requirements.txt
. Use your platform-specific mechanism to install PhatomJS (e.g.
on OSX,
on Debian or Ubuntu, etc).

If you would prefer that this tool use a different browser for testing, you can read the Splinter docs and insert your preferred browser in the "inject_payload" method where it says

browser = Browser("phantomjs")
. Leaving it blank as
browser = Browser()
will default to Firefox.


Basic usage screen_1

With -s or --screen option to record screenshots and -t option to delay requests by specific amount screen_2

With -f or --fuzzy option to fuzzy detect and log partial XSS payload reflections screen_3


Shuriken was derived from the excellent XSS command line tool by Faizan Ahmad, called XssPy. The Shuriken XSS tool is under an MIT license, you can read it here.

The Shuriken logo is licensed under a Creative Commons Attribution 3.0 United States License. Authored by Monjin Friends.

Be responsible and use this tool at your own discretion, I cannot be held responsible for any damages caused.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.