What is cross-site scripting (XSS)?

XSS is a vulnerability where an attacker injects malicious JavaScript into a web page that executes in other users' browsers. It can steal session cookies, redirect users to phishing sites, modify page content, or perform actions on behalf of the victim. XSS is consistently in the OWASP Top 10.

Does this tool inject any XSS payloads?

No. This tool performs passive analysis only — it fetches the page normally and examines the HTML and headers for risk indicators. It does not inject any payloads, modify parameters, or attempt exploitation. It's safe to use on any URL.

What's the difference between reflected, stored, and DOM-based XSS?

Reflected XSS bounces malicious input from the URL back into the response. Stored XSS saves the payload in a database and serves it to other users. DOM-based XSS manipulates the page's JavaScript DOM without server involvement. This scanner checks for indicators of all three types.

How does CSP prevent XSS?

Content-Security-Policy tells browsers which script sources are allowed. A properly configured CSP with 'script-src' that excludes 'unsafe-inline' prevents injected inline scripts from executing — even if an attacker finds an injection point. It's the most effective XSS mitigation available.

How does this compare to a full penetration test?

This scanner identifies XSS risk indicators through passive analysis. A full penetration test from Maced actively tests every input field, URL parameter, and form with a variety of XSS payloads to prove exploitability and demonstrate real-world impact.

Free XSS Scanner

Check any website for cross-site scripting indicators

Enter a URL to passively analyze a page for cross-site scripting (XSS) risk indicators. This tool checks for missing CSP headers, inline event handlers, unsafe JavaScript patterns, reflected parameters, and third-party script inclusions — without injecting any payloads.

Trusted by teams at

How it works

How XSS Scanner works

Enter a URL

Paste any URL — ideally one with query parameters so the scanner can check for reflected input. The scanner fetches the page and analyzes its content passively.

Passive XSS analysis

We check for missing Content-Security-Policy headers, inline JavaScript event handlers, unsafe DOM manipulation patterns, reflected URL parameters in the response body, and third-party script inclusions.

Get risk assessment and fixes

Each XSS indicator is explained with its risk level and specific remediation steps — from CSP configuration to input sanitization best practices.

Features

What XSS Scanner checks

Check Content-Security-Policy protection

Verifies whether a CSP header exists and whether it blocks inline script execution. Missing or misconfigured CSP is the primary reason XSS attacks succeed in modern applications.

Detect inline event handlers

Scans HTML for inline event attributes like onclick, onerror, onload, and onmouseover that execute JavaScript directly in the markup — common XSS injection targets.

Find reflected URL parameters

Checks whether query parameter values from the URL appear in the response body, which indicates potential reflected XSS if the output isn't properly encoded.

Identify unsafe JavaScript patterns

Searches for dangerous patterns like document.write, innerHTML assignments, and eval() calls that create DOM-based XSS sinks if they process untrusted input.

Catalog third-party script sources

Lists external script domains loaded by the page. Each third-party script is a potential supply-chain attack vector — if compromised, it can inject malicious code into your site.

Use cases

Who should use the free XSS Scanner

Web Developers

Check your pages for XSS risk indicators before deployment. Identify missing CSP headers, inline handlers that need refactoring, and reflected parameters that need encoding.

Security Engineers

Quickly assess a web application's XSS attack surface during a security review. Prioritize pages with reflected parameters and missing CSP for deeper manual testing.

QA Teams

Include XSS indicator checks in your testing workflow. Catch regressions where new features introduce inline event handlers or remove CSP protections.

More tools

All free security tools

FAQ

Frequently asked questions

Everything you need to know about the free XSS Scanner.

Go beyond XSS Scanner

This free XSS Scanner checks a handful of things. Maced's AI pentest checks thousands.

Get a full autonomous penetration test — including OWASP Top 10, authentication flaws, business logic errors, API security, and more — with a compliance-ready report in hours.

Start Pentest

Proof of exploit on every finding · SOC 2 & ISO 27001 compatible

Free XSS Scanner

Check any website for cross-site scripting indicators

How XSS Scanner works

Enter a URL

Passive XSS analysis

Get risk assessment and fixes

What XSS Scanner checks

Check Content-Security-Policy protection

Detect inline event handlers

Find reflected URL parameters

Identify unsafe JavaScript patterns

Catalog third-party script sources

Who should use the free XSS Scanner

Web Developers

Security Engineers

QA Teams

All free security tools

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questions

This free XSS Scanner checks a handful of things. Maced's AI pentest checks thousands.

Free XSS Scannerself.__wrap_n!=1&&self.__wrap_b("_R_138dav5ubtpfl7b_",1)

Check any website for cross-site scripting indicatorsself.__wrap_n!=1&&self.__wrap_b("_R_158dav5ubtpfl7b_",1)

How XSS Scanner worksself.__wrap_n!=1&&self.__wrap_b("_R_l5dav5ubtpfl7b_",1)

Enter a URLself.__wrap_n!=1&&self.__wrap_b("_R_2j9dav5ubtpfl7b_",1)

Passive XSS analysisself.__wrap_n!=1&&self.__wrap_b("_R_2l9dav5ubtpfl7b_",1)

Get risk assessment and fixesself.__wrap_n!=1&&self.__wrap_b("_R_2n9dav5ubtpfl7b_",1)

What XSS Scanner checksself.__wrap_n!=1&&self.__wrap_b("_R_l5lav5ubtpfl7b_",1)

Check Content-Security-Policy protectionself.__wrap_n!=1&&self.__wrap_b("_R_339lav5ubtpfl7b_",1)

Detect inline event handlersself.__wrap_n!=1&&self.__wrap_b("_R_359lav5ubtpfl7b_",1)

Find reflected URL parametersself.__wrap_n!=1&&self.__wrap_b("_R_379lav5ubtpfl7b_",1)

Identify unsafe JavaScript patternsself.__wrap_n!=1&&self.__wrap_b("_R_399lav5ubtpfl7b_",1)

Catalog third-party script sourcesself.__wrap_n!=1&&self.__wrap_b("_R_3b9lav5ubtpfl7b_",1)

Who should use the free XSS Scannerself.__wrap_n!=1&&self.__wrap_b("_R_l5tav5ubtpfl7b_",1)

Web Developersself.__wrap_n!=1&&self.__wrap_b("_R_1j9tav5ubtpfl7b_",1)

Security Engineersself.__wrap_n!=1&&self.__wrap_b("_R_1l9tav5ubtpfl7b_",1)

QA Teamsself.__wrap_n!=1&&self.__wrap_b("_R_1n9tav5ubtpfl7b_",1)

All free security toolsself.__wrap_n!=1&&self.__wrap_b("_R_l65av5ubtpfl7b_",1)

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questionsself.__wrap_n!=1&&self.__wrap_b("_R_l6dav5ubtpfl7b_",1)

What is cross-site scripting (XSS)?

Does this tool inject any XSS payloads?

What's the difference between reflected, stored, and DOM-based XSS?

How does CSP prevent XSS?

How does this compare to a full penetration test?

This free XSS Scanner checks a handful of things. Maced's AI pentest checks thousands.self.__wrap_n!=1&&self.__wrap_b("_R_15alav5ubtpfl7b_",1)

Free XSS Scanner

Check any website for cross-site scripting indicators

How XSS Scanner works

Enter a URL

Passive XSS analysis

Get risk assessment and fixes

What XSS Scanner checks

Check Content-Security-Policy protection

Detect inline event handlers

Find reflected URL parameters

Identify unsafe JavaScript patterns

Catalog third-party script sources

Who should use the free XSS Scanner

Web Developers

Security Engineers

QA Teams

All free security tools

Frequently asked questions

This free XSS Scanner checks a handful of things. Maced's AI pentest checks thousands.