Submit cross-site scripting vulnerabilities using the form below (HTTP response splitting, frame redirect and other vulnerabilities that can be exploited against users are also allowed).
Note: Script insertion vulnerabilities, which can lead to cross-site scripting, can also be used to damage the site by blocking its visual access, note that it could represent a crime in many countries and we do not support this action.
Once the mirror has been validated and published, you should contact the webmasters of the affected web site and help them to fix the flaw.

Please use the following as a valid PoC for your XSS:
<iframe src="">
Or: <script>alert(document.cookie)</script>
Mirrors with just marquee or h1 tags will be removed, thanks.

Be sure to verify if that XSS has never been submitted before, using the search field at the top.
 If you don't know how to retrieve the POST content or cookies, you can use a Firefox plugin like Live HTTP Headers.
Author: (e.g.: your full name) 
Optional fields (click here)

You can submit XSS vulnerabilities in web-based e-mail providers (Yahoo, Gmail, Hotmail) or other websites which need user authentication as well as in software applications, by mailing submissions/\ (replace "/\" with "@") with your name and an explanation in order to be able to reproduce the vulnerability.
XSS cheat sheet: - Different cross-site scripting attack vectors for filter evasion.

06/03/2007: ONLY the XSS affecting a different PAGE will be published as REXSSED, don't try to send some XSS already published as they will be deleted, please do not make us lose time.
09/03/2007: Feel free to send us your xss (non malicious) scripts as .js if you want us to host them. The repository of scripts and images is available here.
12/03/2007: If you find any (very) famous web site vulnerable to CSRF/XSRF (Cross-site request forgery) we may post a news about it, as it cannot be mirrored, just mail us an explanation.
26/03/2007: POST data can now be sent with the form, do NOT fill the field if no POST data is required for the xss, or it will deleted.
29/04/2007: We now allow submissions of "redirect" vulnerabilities, but only the direct redirects will be accepted.
10/06/2009: The onhold is now huge. So please check carefully what you post. POST xss have to be posted CORRECTLY, eg: var1=a&var2=XSS . Also do not post a vulnerability that is already in the database, we lose a lot of time with those, thank you. Do not post 100 times a single vulnerability that affects 100 pages of the same site, we will only publish 1
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.