This website intentionally includes pages which is susceptible to Cross-site Scripting (XSS) vulnerabilities.

It helps you understand how developer errors and bad configuration may let someone break into your website.

You can also use it to test your manual hacking skills as well.

To see how quickly Rapplex finds these vulnerabilities in a context-aware fashion, try out demo


div - single quote

non-executable tags


script tag

variable - no quote
variable - single quote
variable - double quote
variable - nested quotes (single - double)
variable - nested quotes (double - single)
variable - spaces - single quote
variable - spaces - double quote
variable - single quote - spaces
variable - double quote - spaces
variable - single quote - injection at the beginning
variable - double quote - injection at the beginning
variable - single quote - injection in the middle
variable - double quote - injection in the middle
variable - single quote - injection at the end
variable - double quote - injection at the end
variable - single quote - addition
variable - double quote - addition
single line comment #1
single line comment - LF filtered
single line comment #2
multi line comment #1
multi line comment #2
method call
function name

HTML event

event - no quote
event - single quote
event - double quote
event - single quote - prefixed
event - single quote - suffixed
event - double quote - prefixed
event - double quote - suffixed
event - backtick

external script injection



HTML comment - injection at the beginning
HTML comment - blacklisted
HTML comment


a.href - spaces
a.href - no quote - prefixed
a.href - no quote - suffixed
a.href - single quote - prefixed
a.href - double quote - prefixed
a.href - single quote - suffixed
a.href - double quote - suffixed
a.href - javascript protocol
a.href - single quote


frame.src in a frameset
frame.src in a frameset - double quote - prefixed
frame.title in a frameset
insert attribute into frame in a frameset

attribute / tag insertion

insert attribute - no quote
insert attribute - single quote
insert attribute - double quote
insert tag

multiple attributes

multi attribute


load from a folder

multi injection points

multiple injected tags
a.href - multiple positions
div - multiple positions
a tag - injection inside

case sensitivity

script variable - lower cased
script variable - upper cased

HTML Encoded

attr - no quote
attr - single quote
attr - double quote

developer mistakes

Forgot to encode all inputs

META tags

link - type:alternate
link - type:stylesheet

False Positive

false positive #1


Base tag hijacking


Form hijacking