Google has created the Gruyere project as a means to test web application exploits and defenses .The Gruyere project website has several vulnerabilities embedded into it, including XSS. You can run your own Gruyere project online, or you can download it to a local machine for your testing.

Once we were logged into our own instance of Gruyere, we were able to copy the previous string into the username input field and clicked the Submit button. The following screenshot shows the Gruyere home page with the CHAOS script displayed.

The string used in input field is as follows:

CHAOS<script>alert('www.DrChaos.com')</script>

Once we ran the XSS script in the username input field, we noticed some code was displayed on the website. At this point, we were able to generate a pop-up alert anytime the username was seen on the website.

In addition, http://xss.progphp.com/ is another popular site to test XSS attacks and scripts. You can take several scripts and input them into the website to see how XSS interacts with websites and your own web browser safely.