What separates a useful XSS detector from a noisy one isn't the payload list. It's whether it knows where your input landed.
When input is reflected back into a page it ends up somewhere specific, and each place needs a completely different escape:
- In the HTML body, a plain
<script>or an event handler on an injected tag works. - Inside an attribute (
value="HERE"), you have to break out of the quotes before anything executes. - Inside a
<script>block, you're already in a code context, so you don't inject a tag, you close or extend the statement.
A dumb scanner fires the same <script>alert(1)</script> everywhere and misses three-quarters of real bugs, because in two of those three contexts that payload is completely inert.
So xss-probe looks before it leaps:
1. inject a unique harmless marker: kx9f3z
2. find every place kx9f3z is reflected in the response
3. classify each one: body / attribute / script / comment / URL
4. pick a context-specific break-out payload per location
It's the difference between a battering ram and a lockpick. The battering ram is louder and works less often. Look first, then send.