Cross-site scripting (often abbreviated XSS) is an often confusing vulnerability. It's counterintuitive. Often the best way to understand it is to see it in action, and the best way to test for it is to actually try to exploit it.

This site hosts a variety of demo scripts to illustrate XSS vulnerabilities. Just drop the test code strings into forms or other places where it will be served to a user later. If the application doesn't properly sanitize or escape values, the script may run!


The most basic test is to simply throw a warning in the browser console. This doesn't disrupt the user experience. If you are going to test these on a live site, this is your best option.

Copy the code below and paste it around in your application:

<script src="https://xssfun.com/whisper.js"></script>
Browser console showing a XSS warning
To start getting attention, though, try using this warning banner. So that it won't wreck a production application, it will only show the banner once per hour, based on a client side cookie.

Copy the code below and paste it around in your application:

<script src="https://xssfun.com/banner.js"></script>
Screen shot of the warning banner in use on a browser
Need to demonstrate more power? XSS attacks can do pretty much anything JavaScript can do, including take the user to a page controlled by an attacker. Imagine a bad actor didn't need for users to click on a phishing email - their browser would run the page automatically!

<script src="https://xssfun.com/rickroll.js"></script>
Posterized image of Rick Astley performing Never Gonna Give You Up