XSS Detection

Overview

Find, prove, and fix Cross-Site Scripting vulnerabilities. XSS lets attackers inject scripts into web pages viewed by other users — stealing sessions, redirecting to phishing sites, or modifying page content.

Instructions

XSS Types

Reflected XSS

The malicious script comes from the current HTTP request. The payload is in the URL or form submission and reflected back in the response:

Attack flow:
1. Attacker crafts URL: https://site.com/search?q=<script>alert(1)</script>
2. Victim clicks the link
3. Server includes the query in the response without sanitization