You can use this firefox addon:
- XSS Me
Answer from Sarfraz on Stack OverflowXSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS). It does NOT currently test for stored XSS.
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string. The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.
OWASP Foundation
owasp.org › www-project-web-security-testing-guide › latest › 4-Web_Application_Security_Testing › 07-Input_Validation_Testing › 01-Testing_for_Reflected_Cross_Site_Scripting
Testing for Reflected Cross Site Scripting
See the example below. Analyze each input vector to detect potential vulnerabilities. To detect an XSS vulnerability, the tester will typically use specially crafted input data with each input vector.
Top answer 1 of 4
15
You can use this firefox addon:
- XSS Me
XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS). It does NOT currently test for stored XSS.
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string. The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.
2 of 4
7
For example:
<script>alert("XSS")</script>
"><b>Bold</b>
'><u>Underlined</u>
Videos
16:20
Testing XSS Tools On Target Protected By WAF | 2024 - YouTube
02:28
Testing for reflected XSS manually with Burp Suite - YouTube
11:33
Detecting & Exploiting Cross-Site Scripting (XSS) - YouTube
08:28
How to Find XSS | Cross-site scripting - YouTube
03:02
This XSS Tool Is AMAZING! - YouTube
26:27
Cross Site Scripting (XSS) Tutorial | XVWA | Penetration Testing ...
What is cross-site scripting (XSS)?
Cross-site scripting (XSS) is a type of vulnerability where the code sent by the attacker is executed back in the user’s browser. The malicious code is written in a scripting language, usually JavaScript.
Learn more about cross-site scripting in general.
acunetix.com
acunetix.com › blog › web-security-zone › test-xss-skills-vulnerable-sites
Test Your XSS Skills Using Vulnerable Sites | Acunetix
What are the types of cross-site scripting?
There are three primary types of cross-site scripting vulnerabilities. Stored (persistent) XSS happens when an attacker injects malicious code into the target application – when victims visit the page, their browsers execute this code. Reflected (non-persistent) XSS happens when an attacker uses a malicious phishing link and malicious code is executed as part of the response from the server. DOM XSS happens within the Document Object Model (DOM) of the browser, often with no information sent to the server.
Learn more about the types of cross-site scripting.
acunetix.com
acunetix.com › blog › web-security-zone › test-xss-skills-vulnerable-sites
Test Your XSS Skills Using Vulnerable Sites | Acunetix
Is it legal to practice cross-site scripting?
It is completely legal to practice cross-site scripting on sites that are dedicated for that purpose. In this article, you can learn about the most popular sites that are intentionally vulnerable. You can also install your own local vulnerable applications such as bWAPP, OWASP Juice Shop, or DVWA and use them to practice.
If you want to see how Acunetix scans vulnerable applications, find out how to configure it with bWAPP.
acunetix.com
acunetix.com › blog › web-security-zone › test-xss-skills-vulnerable-sites
Test Your XSS Skills Using Vulnerable Sites | Acunetix
Appspot
xss-game.appspot.com
XSS Game - Google App Engine
This security game consists of several levels resembling real-world applications which are vulnerable to XSS - your task will be to find the problem and attack the apps, similar to what an evil hacker might do. XSS bugs are common because they have a nasty habit of popping up wherever a webapp deals with untrusted input.
Pentest-Tools
pentest-tools.com › home › website scanner › xss scanner
XSS Scanner - Online Scan for Cross-site Scripting Vulnerabilities
Test for script injection, and receive confirmed XSS findings with minimal configuration. Our scanner injects real JavaScript payloads, verifies execution, and gives you proof, so you can trust what you fix.
BrowserStack
browserstack.com › home › guide › cross-site scripting (xss) testing to prevent xss attacks
Cross-Site Scripting (XSS) Testing for Websites | BrowserStack
August 4, 2025 - Learn in detail about Cross-Site Scripting (XSS) attacks, their types, how to test your websites for XSS, and how to resolve them effectively.
Hackviser
hackviser.com › cross-site scripting (xss)
Cross-Site Scripting (XSS) Attack Guide | Hackviser
Learn how to test and exploit Cross-Site Scripting (XSS) vulnerabilities including detection, attack vectors and bypass techniques.
Acunetix
acunetix.com › blog › web-security-zone › test-xss-skills-vulnerable-sites
Test Your XSS Skills Using Vulnerable Sites | Acunetix
February 19, 2025 - We compiled a Top-10 list of web applications that were intentionally made vulnerable to Cross-site Scripting (XSS). They were created so that you can learn in practice how attackers exploit XSS vulnerabilities by testing your own malicious code.
Invicti
invicti.com › blog › web-security › test-xss-skills-vulnerable-sites
Vulnerable Test Sites to Test Your XSS Skills: Hands-On AppSec
March 13, 2025 - By testing XSS payloads on intentionally vulnerable sites, you can observe how XSS attacks work and legally hone your offensive skills (and defensive awareness) without asking for permission or causing any harm.
CircleCI
circleci.com › blog › xss-attacks
Prevent XSS attacks with browser testing - CircleCI
August 26, 2024 - The Submit button is clicked, and once the form is submitted, the display section is checked for a string with length greater than zero (non-text HTML elements will return a string with a length of zero). Once the test is done running, close the browser. Now you have the XSS test in place to check for an attack.
PortSwigger
portswigger.net › web-security › cross-site-scripting
What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy
The vast majority of XSS vulnerabilities can be found quickly and reliably using Burp Suite's web vulnerability scanner. Manually testing for reflected and stored XSS normally involves submitting some simple unique input (such as a short alphanumeric string) into every entry point in the application, identifying every location where the submitted input is returned in HTTP responses, and testing each location individually to determine whether suitably crafted input can be used to execute arbitrary JavaScript.
Software Testing Help
softwaretestinghelp.com › home › security testing › cross-site scripting (xss) testing: xss alert example
Cross-Site Scripting (XSS) Testing: XSS Alert Example
May 9, 2025 - Cross-Site Scripting is one of the most popular risky attacks, there are plenty of tools to test it automatically. We can find various scanners to check for possible XSS attack vulnerabilities – like, Nesus and Nikto.
OWASP Foundation
owasp.org › www-project-web-security-testing-guide › latest › 4-Web_Application_Security_Testing › 07-Input_Validation_Testing › 02-Testing_for_Stored_Cross_Site_Scripting
Testing for Stored Cross Site Scripting
If the input is escaped by the application, testers should test the application for XSS filters. For instance, if the string “SCRIPT” is replaced by a space or by a NULL character then this could be a potential sign of XSS filtering in action. Many techniques exist in order to evade input filters (see testing for reflected XSS) chapter).
CoreWin
corewin.ua › home › blog
Vulnerable Test Sites to Test Cross-Site Scripting Skills - CoreWin
April 11, 2025 - This web application contains over 100 vulnerabilities and offers a deep dive into web security, including cross-site scripting, API security flaws, and cross-site request forgery (CSRF). It allows users to test persistent XSS, where embedded scripts are executed every time a user loads a web page.
Cobalt
cobalt.io › blog › testing-for-reflective-xss
Testing for Reflective XSS | Cobalt
September 18, 2025 - Reflected XSS is a type of Cross-Site Scripting attack where the malicious script is injected via user input and immediately reflected back in the web page’s response. This occurs when input is improperly validated and included in the output without proper encoding. To begin, understand the application's functionality and identify all input vectors, such as URL parameters, forms, and headers. Test these points using simple, unique strings to determine if the input is reflected in the response.
GitHub
github.com › s0md3v › xsstrike
GitHub - s0md3v/XSStrike: Most advanced XSS scanner. · GitHub
XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.
Starred by 14.9K users
Forked by 2.1K users
Languages Python 98.8% | HTML 1.2%
Bright Security
brightsec.com › blog › xss-attack
XSS Attack: 3 Real Life Attacks and Code Examples - Bright Security
August 10, 2025 - Bright can automatically crawl your applications to test for reflected, stored and DOM-based XSS vulnerabilities, giving you maximum coverage, seamlessly integrated across development pipelines.
Medium
rodelllemit.medium.com › web-app-pentesting-dom-based-xss-test-case-f9ac4c2a804d
Web App Pentesting: DOM-based XSS Test Case | by @ro0taddict | Medium
March 11, 2025 - The main difference between Reflected and Stored XSS compared to DOM-Based XSS is that in Reflected and Stored XSS, the attacker’s payload is sent to the server at some point — either as part of a request (Reflected) or stored in a database (Stored). In contrast, DOM-Based XSS occurs entirely within the browser, where the malicious script is executed directly in the Document Object Model (DOM) without ever reaching the server.
SoapUI
soapui.org › docs › security-testing › security-scans › cross-site-scripting
Cross-site Scripting | SoapUI Docs
The Cross-site scripting Security Scan tries to attack the web service by replacing the TestStep’s original parameters with harmless strings, resembling the type of malicious strings that are used in real attacks.
Medium
medium.com › @sumayasomow › cross-site-scripting-xss-vulnerabilities-f7c8e63b2f10
Cross-Site Scripting (XSS) Vulnerabilities | by Sumayasomow | Medium
January 11, 2025 - Use web vulnerability scanners to detect XSS vulnerabilities. Test applications with tools like WebGoat to simulate XSS attacks.
TutorialsPoint
tutorialspoint.com › security_testing › testing_cross_site_scripting.htm
Testing Cross-Site Scripting
Step 1 − Login to Webgoat and navigate to cross-site scripting (XSS) Section. Let us execute a Stored Cross-site Scripting (XSS) attack.