I tried to evaluate the effectivity of xsser (http://xsser.03c8.net) by letting it run against the "Web For Pentester" XSS tests (https://pentesterlab.com/exercises/web_for_pentester/course) is it implements very easy exploitable XSS vulnerabilities and thus serve as a good baseline.
However, the tool fails to find even the simplest (example 1) XSS vulnerability. If I understood correctly, the tool generates a unique hash per test case and checks if this hash is reflected in the response body.
However, looking at the verbose output and re-submitting one of the tests, the response indeed includes the hashes. So to me it seems like xsser generates a lot of false negatives.
Can somebody reproduce or tell me what I am missing?
