Here's a comparison table between KNOXSS and 2 other free, open-source XSS tools.
Test results were collected by Diego Gonçalves in April and May of 2024 for Brute Logic.
Our XSS Coverage was used in this study.
XSS Cases |
KNOXSSv3.6.5 |
Dalfoxv2.9.2 |
XSStrikev3.1.5 |
| Single Reflection Using QUERY of URL | |||
| HTML Injection | True | True | True |
| HTML Injection Inline with Double Quotes | True | True | True |
| HTML Injection Inline with Single Quotes | True | True | True |
| HTML Injection Inline with Double Quotes: No Tag Breaking | True | True | True |
| HTML Injection Inline with Single Quotes: No Tag Breaking | True | True | True |
| HTML Injection with Single Quotes in JS Block | True | True | FP |
| HTML Injection with Double Quotes in JS Block | True | True | FP |
| JS Injection with Single Quotes | True | True | FP |
| JS Injection with Double Quotes | True | True | FP |
| Escaped JS Injection with Single Quotes | True | False | True* | FP |
| Escaped JS Injection with Double Quotes | True | False | True* | FP |
| JS Injection In Event Handler (No Handler Breaking) | True | FP | False* | FP |
| JS Injection in Fully Validated Anchor (Href) – email | True | False | FP* | False |
| JS Injection in Fully Validated Anchor (Href) – url1 | True | False | FP* | False |
| JS Injection in Fully Validated Anchor (Href) – url2 | True | False | FP* | False |
| JS Injection in Fully Validated Anchor (Href) – key | True | False | FP* | False |
| XML Injection with CDATA and Comment Breakout - p | True | FP | FP* | FP |
| XML Injection with CDATA and Comment Breakout - q | True | FP | FP* | FP |
| XML Injection with CDATA and Comment Breakout - r | True | FP | FP* | FP |
| Single Reflection Using PATH of URL | |||
| HTML Injection Inline PHP_SELF | True | False | False* | False |
| HTML Injection 1 Level Deep | True | False | False* | False |
| HTML Injection 2 Level Deep | True | False | False* | False |
| HTML Injection 3 Level Deep | True | False | False* | False |
| HTML Injection in Script Block 1 Level Deep | True | False | False* | False |
| HTML Injection in Script Block 2 Level Deep | True | False | False* | False |
| HTML Injection in Script Block 3 Level Deep | True | False | False* | False |
| JS Injection in Script Block 1 Level Deep | True | True | False |
| JS Injection in Script Block 2 Level Deep | True | True | False |
| JS Injection in Script Block 3 Level Deep | True | True | False |
| Multi Reflection | |||
| Double Injection in HTML Context with Double Quotes | True | True | False |
| Double Injection in Mixed Context with Default Quotes | True | True | False |
| Quoteless Inline Double Injection in JS variables | True | False | False* | False |
| Quoteless Inline Double Injection in JS object | True | False | False* | False |
| Quoteless Inline Double Injection in JS object with Nested Array | True | False | False* | False |
| Quoteless Inline Double Injection in JS object with Nested Function | True | False | False* | False |
| Special Cases | |||
| HTML Injection with Double Encoded Bypass | True | True | False |
| HTML Injection with SQLi Error-Based | True | FP | FP* | False |
| HTML Injection with PHP FILTER_VALIDATE_EMAIL Bypass | True | False | False* | False |
| HTML Injection with Strict-Length Input (32 chars) | True | False | False* | False |
| HTML Injection with Strict-Length Input (40 chars) | True | False | False* | False |
| HTML Injection with Strict-Length Input (64 chars) | True | False | False* | False |
| HTML Injection with Strip-based Bypass (AFB) | True | False | False* | FP |
| HTML Injection with Spell Checking Bypass | True | False | False* | False |
| HTML Injection with Base64 Encoded Input | True | False | False* | False |
| HTML Injection with Parameter Guessing | True | False | True* | False** |
| HTML Injection in Parameter Name | True | False | FP* | FP |
| Multi Context Injection Bypass on Alpha-based Filter and JSON Encode Function | True | FP | FP |
| HTML Injection with CRLF in HTTP Header (Content-Type Replacement) | True | False | True* | FP |
| HTML Injection with Byte Fallback (WAF Bypass in Java) | True | False | False |
| DOM-Based XSS | |||
| DOM Injection via URL Parameter (Document Sink) | True | True | False |
| DOM Injection via Open Redirection (Location Sink) | True | True | False |
| DOM Injection via URL Parameter (Execution Sink) | True | True | False |
| DOM Injection via AJAX in URL Fragment (Document Sink) | True | False | False* | False |
| DOM Injection via AngularJS Library versions 1.6.0+ | True | False | FP* | False |
| DOM Injection via Bootstrap Library versions 4.0.0, 4.1.0 and 4.1.1 | True | False | FP* | False |
| Hybrid XSS (Source + DOM) | |||
| JS Injection Sanitized in Source | True | False | False* | False |
| JS Injection with Single Quotes Fixing ReferenceError - Object Hoisting | True | False | FP* | False |
| JS Injection with Single Quotes Fixing ReferenceError - Hoisting Override | True | False | FP* | False |
| CSP Bypass | |||
| Unsafe Inline Directive | True | True | True |
| Base URI Against Nonce-based Scripts | True | False | FP* | False |
| Data URI Directive | True | False | FP* | False |
| Whitelisted JSONP Endpoint (googleapis.com) | True | False | FP* | False |
| Stored XSS | |||
| HTML Injection via Cached Header Reflection | True | False | False |
| Authenticated XSS | |||
| HTML Injection in Cookie-Based Authenticated Page | True | False | False* | False |
| Blind XSS | True | False*** | False*** |
KNOXSSv3.6.5 |
Dalfoxv2.9.2 |
XSStrikev3.1.5 |
|
Results(with FP) |
650 FP |
2317 FP |
614 FP |
FP = False Positive
* Needed external resources with --remote-payloads and --remote-wordlists options.
** It needs a 3rd party tool to find the entry point.
*** No native support to it, needs to use a 3rd party tool or service.