XSS (Cross-Site Scripting) Playground
Sanitized Output
Raw output:
Vulnerable Output
Common XSS Payloads
Basic Script Tag
<script>alert('XSS')</script>Simple JavaScript alert using script tags
Image Onerror
<img src='x' onerror="alert('XSS')">Executes JavaScript when image fails to load
JavaScript URL
<a href='javascript:alert(`XSS`)'>Click me</a>JavaScript execution in URL
SVG Script
<svg><script>alert('XSS')</script></svg>Script execution within SVG element
About Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to:
- Session Hijacking: Stealing session cookies to impersonate legitimate users
- Phishing Attacks: Injecting malicious links or fake forms to harvest user credentials
- Defacement: Altering website content to display malicious or misleading information
- Data Theft: Exfiltrating sensitive information from users or the application
Prevention Techniques
- Validate and sanitize user inputs on both client and server sides
- Encode output data to prevent execution of malicious scripts
- Use Content Security Policy (CSP) to restrict the execution of untrusted scripts
- Implement proper session management and use secure cookies
- Conduct regular security audits and penetration testing
Note: This is an educational demonstration. In real applications, always validate and encode user input, and implement robust security headers to prevent XSS.