🛡️ Surf XSS Protection Test Page

Test XSS detection and protection features. Enable your extension and try the tests below.

Test 1: Basic XSS Attack Vectors

Test common XSS payloads that should be detected and blocked.

Test 2: DOM-based XSS

Test XSS through DOM manipulation methods.

Test 3: Obfuscated XSS Payloads

Test encoded and obfuscated XSS payloads that should still be detected.

Test 4: Advanced XSS Techniques

Test more sophisticated XSS attack techniques.

Test 5: Context-Aware Detection

Test that legitimate code (frameworks, first-party) is not flagged as false positives.

Test 6: Network-based XSS Vectors

Test XSS through network requests and responses.

Test 7: CSP Violation Detection

Test Content Security Policy violation detection. These tests require a page with CSP headers.

Note: CSP violations are detected automatically when a page has CSP headers and violations occur. To test CSP detection, you need a page with CSP enabled. The extension will detect and report violations.

🔍 Test 8: Taint Detection Validation

Purpose: These tests validate that taint detection works correctly for different taint sources.
How it works: Each test REQUIRES actual URL parameters, hash, referrer, or user input to work.
⚠️ These tests will NOT work with fallback values - they need real taint sources.

URL Parameter Taint (Reflected XSS)

These tests require URL parameters to be present. Add them to the URL like: ?html=<script>alert('XSS')</script>

URL Hash Taint (DOM-Based XSS)

These tests require URL hash fragments. Add them like: #<script>alert('XSS')</script>

Referrer Taint (Reflected XSS)

These tests require a referrer. Open this page from a link with a query parameter.

User Input Taint (Form-Based XSS)

Type in the input field below, then click the test buttons. The input value will be used.

Taint test results will appear here

⚠️ Test 9: Real-World High-Risk Attacks

These tests simulate real XSS attacks that come from first-party sources but are tainted. They test our taint-aware first-party detection. These should trigger alerts even though they're from the same origin.

How it works: These attacks use URL parameters, hash fragments, or user input that gets reflected/executed. Even though the code runs from the same origin (first-party), it should be detected because it's tainted.

Test Log