🚨 XSS Vulnerability Demonstration

⚠️ WARNING

This page is intentionally vulnerable to demonstrate XSS attacks for educational purposes!

Test XSS Vulnerability

🚨 Your input was reflected without escaping:

If you see an alert or other script execution, the XSS attack worked!

Try these XSS payloads:

<script>alert('XSS!')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<iframe src=javascript:alert('XSS')>
<script>document.cookie='stolen='+document.cookie</script>

What makes this vulnerable?

User input is reflected directly into HTML without encoding/escaping
No Content Security Policy (CSP) headers
No input validation or sanitization
HTML contexts allow script execution

How to fix:

Always encode/escape user input before rendering
Use Content Security Policy headers
Validate and sanitize all user input
Use frameworks that auto-escape by default

'); // Simulate cookie stealing (for demo purposes) if (''.includes('document.cookie')) { console.log('🚨 Cookie stealing attempt detected!'); console.log('Available cookies:', document.cookie); }