This plugin finds Cross Site Scripting (XSS) vulnerabilities. One configurable parameters exists:

  • persistent_xss

To find XSS bugs the plugin will send a set of javascript strings to every parameter, and search for that input in the response. The “persistent_xss” parameter makes the plugin store all data sent to the web application and at the end, request all URLs again searching for those specially crafted strings.

Plugin type



Name Type Default Value Description Help
persistent_xss boolean True Identify persistent cross site scripting vulnerabilities If set to True, w3af will navigate all pages of the target one more time, searching for persistent cross site scripting vulnerabilities.


For more information about this plugin and the associated tests, there’s always the source code to understand exactly what’s under the hood:
github-logoPlugin source code
Unittest source code


This plugin has no dependencies.