MCP Servers

A collection of Model Context Protocol servers, templates, tools and more.

X
Xsstarget MCP Server
by @vivashu27
GitHub Repo(1 stars)

MCP server by vivashu27

Created 12/18/2025
Updated about 6 hours ago
README
View Source
Repository documentation and setup instructions

XSS Scanner MCP Server

A Model Context Protocol (MCP) server for detecting XSS vulnerabilities with intelligent WAF detection and adaptive bypass payloads.

Features

  • Intelligent WAF Detection - Automatically identifies 12+ WAF types (Cloudflare, Akamai, AWS WAF, Imperva, etc.)
  • Adaptive Payloads - Selects XSS payloads optimized for the detected WAF
  • Curated Bypass Techniques - Includes WAF-specific bypass payloads collected from real-world testing
  • Multiple Scanning Modes - Single URL, batch URL scanning, or WAF-only detection
  • Payload Encoding - URL, HTML entity, Unicode, and double-URL encoding support
  • MCP Integration - Works with Claude Desktop and other MCP-compatible clients

Supported WAFs

| WAF | Detection | Bypass Payloads | |-----|-----------|-----------------| | Cloudflare | Yes | 54 payloads | | Akamai | Yes | 9 payloads | | AWS WAF | Yes | 15 payloads | | CloudFront | Yes | 15 payloads | | Imperva/Incapsula | Yes | 2 payloads | | Wordfence | Yes | 3 payloads | | Fortiguard/FortiWeb | Yes | 1 payload | | ModSecurity | Yes | Generic | | F5 BIG-IP | Yes | Generic | | Sucuri | Yes | Generic | | Prophaze | Yes | 3 payloads | | Shadow Daemon | Yes | 1 payload |

Installation

Prerequisites

  • Python 3.13+
  • uv package manager

Setup

git clone https://github.com/YOUR_USERNAME/XSStarget_ai.git
cd XSStarget_ai/xss_scanner_mcp
uv sync

Usage

Running the MCP Server

cd xss_scanner_mcp
uv run xss-scanner-mcp

Claude Desktop Integration

Add to your Claude Desktop configuration file:

Windows: %APPDATA%\Claude\claude_desktop_config.json macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "xss-scanner": {
      "command": "uv",
      "args": [
        "--directory",
        "/path/to/XSStarget_ai/xss_scanner_mcp",
        "run",
        "xss-scanner-mcp"
      ]
    }
  }
}

Available Tools

scan_for_xss

Scan a URL for XSS vulnerabilities with WAF-aware payloads.

Parameters:
  url (required)     - Target URL to scan
  max_payloads       - Maximum payloads to test (default: 30)
  timeout            - Request timeout in seconds (default: 10)
  parameters         - Comma-separated list of specific parameters to test

detect_waf_tool

Detect the WAF protecting a URL without performing XSS tests.

Parameters:
  url (required)     - Target URL to analyze
  timeout            - Request timeout in seconds (default: 10)

get_payloads_for_waf_tool

Get XSS payloads optimized for bypassing a specific WAF.

Parameters:
  waf_type (required) - WAF type (cloudflare, akamai, aws, imperva, etc.)
  max_payloads        - Maximum payloads to return (default: 20)
  encoding            - Optional encoding (url, html, unicode, double_url)

scan_multiple_urls

Batch scan multiple URLs for XSS vulnerabilities.

Parameters:
  urls (required)        - Newline or comma-separated list of URLs
  max_payloads_per_url   - Maximum payloads per URL (default: 20)
  timeout                - Request timeout in seconds (default: 10)

test_payload

Analyze an XSS payload structure and get encoded versions.

Parameters:
  payload (required)  - The XSS payload to analyze
  encode              - Whether to provide encoded versions (default: false)
  encoding_type       - Type of encoding (url, html, unicode, double_url, all)

list_available_wafs

List all WAF types with available bypass payloads and detection signatures.

Available Resources

Access these resources through the MCP protocol:

| Resource URI | Description | |--------------|-------------| | xss://payloads/all | All XSS payloads organized by WAF type | | xss://payloads/{waf_type} | Payloads for a specific WAF | | xss://waf/signatures | WAF detection signatures | | xss://waf/bypass-tips/{waf_type} | Bypass tips for a specific WAF |

Project Structure

XSStarget_ai/
├── README.md
├── XSSpayloads.txt              # WAF bypass payloads collection
└── xss_scanner_mcp/
    ├── pyproject.toml           # Project configuration
    ├── README.md                # Package documentation
    ├── run_server.py            # Entry point script
    └── xss_scanner_mcp/
        ├── __init__.py
        ├── server.py            # MCP server implementation
        ├── scanner.py           # XSS scanning logic
        ├── waf_detector.py      # WAF detection engine
        └── payloads.py          # Payload management

How It Works

  1. WAF Detection: When scanning a URL, the server first makes a baseline request to detect any WAF through:

    • Response headers (e.g., cf-ray for Cloudflare)
    • Body content patterns
    • Cookie signatures

  2. Payload Selection: Based on the detected WAF, the scanner selects appropriate bypass payloads from the curated collection.

  3. XSS Testing: For each URL parameter, the scanner:

    • Injects payloads
    • Checks for reflection in the response
    • Analyzes the context (HTML tag, attribute, script block, etc.)
    • Determines if the reflection could lead to XSS execution

  4. Reporting: Results include:

    • WAF detection details
    • Bypass tips for the detected WAF
    • List of reflected payloads with context
    • Potential XSS vulnerabilities flagged

Contributing

Contributions are welcome! Feel free to:

  • Add new WAF signatures
  • Submit additional bypass payloads
  • Report bugs or suggest features

Disclaimer

This tool is intended for authorized security testing only. Always obtain proper authorization before testing any web application for vulnerabilities. The authors are not responsible for misuse of this tool.

Quick Setup
Installation guide for this server

Install Package (if required)

uvx xsstarget_mcp_server

Cursor configuration (mcp.json)

{ "mcpServers": { "vivashu27-xsstarget-mcp-server": { "command": "uvx", "args": [ "xsstarget_mcp_server" ] } } }