Invalid Password
You entered in a bad password, don't do that too much or you'll be rate limited.
Official Announcement Regarding Email Notifications
Due to the high level of abuse/traffic this service gets we were previously banned from multiple email services. For this reason email notifications were previously unavailable for XSS Hunter users. I have now re-enabled email notifications, however it is self-hosted. For those not familiar with self-hosting email, it is extremely likely that the email notifications you will receive will be sent to spam. If you'd like to receive these notifications please whitelist emails from xsshunter.com for your email provider. Thanks :)
-@IAmMandatory
Deploy your own Serverless XSS Hunter in 5 minutes
If you're tired of using the shared instance of XSS Hunter you can deploy your own serverless version of XSS Hunter in less than five minutes! Click here to do so.
Invalid Account Information
The following field(s) contain invalid data:

Account Settings Updated Successfully!
Your account settings have been updated, changes take effect immediately.
Password Reset Performed Successfully
If you have an account with us then we've sent a password reset message to that email address.

Log In




Reset Password


XSS Payload Fires
Thumbnail Victim IP Vulnerable Page URI Options
Collected Pages
Page URI Options
- Basic XSS payload.
- For use where URI's are taken as input.
- For bypassing poorly designed blacklist systems with the HTML5 autofocus attribute.
- Another basic payload for when <script> tags are explicitly filtered.
- HTML5 payload, only works in Firefox, Chrome and Opera
- HTML5 payload, only works in Firefox, Chrome and Opera
- For exploitation of web applications with Content Security Policies containing script-src but have unsafe-inline enabled.
- Example payload for sites that include JQuery




Note: Must be used with an XSS Hunter compatible client tool, click here for an example. If you want to build your own please see our documentation. Note that injection requests are only stored for 30 days and are purged afterwards. You will still receive XSS alerts after 30 days but they won't be correlated.