Invalid Password
You entered in a bad password, don't do that too much or you'll be rate limited.
Deprecation Notice
The XSS Hunter service is being deprecated on February 1st 2023. To continue to use your xss.ht subdomain after this date, please set either a redirect URI or a static JavaScript payload under "Settings". For more information, see "XSS Hunter Deprecation FAQ".
-@IAmMandatory
Invalid Account Information
The following field(s) contain invalid data:

Account Settings Updated Successfully!
Your account settings have been updated, changes take effect immediately.
Password Reset Performed Successfully
If you have an account with us then we've sent a password reset message to that email address.

Log In




Forgot password? Click here to reset it.

Reset Password


XSS Payload Fires
Thumbnail Victim IP Vulnerable Page URI Options
Collected Pages
Page URI Options
- Basic XSS payload.
- For use where URI's are taken as input.
- For bypassing poorly designed blacklist systems with the HTML5 autofocus attribute.
- Another basic payload for when <script> tags are explicitly filtered.
- HTML5 payload, only works in Firefox, Chrome and Opera
- HTML5 payload, only works in Firefox, Chrome and Opera
- For exploitation of web applications with Content Security Policies containing script-src but have unsafe-inline enabled.
- Example payload for sites that include JQuery




Note: Must be used with an XSS Hunter compatible client tool, click here for an example. If you want to build your own please see our documentation. Note that injection requests are only stored for 30 days and are purged afterwards. You will still receive XSS alerts after 30 days but they won't be correlated.