Honestly, I don't think it works

[miaochiahao]

I read your code. it seems you are trying to insert xss payloads into parameters and headers. However you didn't check any response for the potential reflected value.
Maybe you are trying to use xsshunter platform to receive message(as you mentioned, find blinding xss), but the fact is, there's no browser involved in and golang http client will not render javascript and html. In other words, if there are vulnerabilities, you will miss them.
Prove me if I'm wrong.

[aali99]

it checks blind xss so no need for reflection ,it will show only if the payload run in your xsshunter profile not in terminal

[miaochiahao]

There's no browser involved in, the vulnerability will not be triggered. XSS in not a server side vulnerability type, so your tool won't work at all.

[r0x5r]

may be it try to fuzzing bxss payload on header

[hellofresh01]

I tested it on a vulnerable site, it doesnt work

[ethicalhackingplayground]

Sorry everyone for the late reply, unfortunately this tool does not work since the dom needs to be rendered in order for the bxss payload to fire. Good news I will be working on a rust version hopefully soon so stay tuned for that. This time I will be using a headless browser to solve the problem I had with this tool. Meanwhile I will also fix this tool so a new commit will be happening shortly.

Regards,
Blake

[ethicalhackingplayground]

I've made a ton of changes and bxss should be all working fine, if you could please test it to see if everything works on your end, that would be great.