XSS Auditor reports

Designed to help stop Reflected Cross-Site Scripting (XSS) attacks but often exploited to extract information from pages. Introduced in Internet Explorer 8 back in 2009 as XSS Filter and in Chrome 4 in 2010, controlled by the X-XSS-Protection HTTP header. The feature was completely removed in Chrome 78 and in Microsoft Edge in 2018. Apple removed XSS Auditor in Safari 15.4.

🍌 Your browser doesn't support XSS Auditor, no reports will be sent

The X-XSS-Protection response header:

X-XSS-Protection: 1; report=https://elbow.has.report/report

There's some JavaScript on this page, and hitting the button below will send the same JavaScript in the request. Now, browser sees a request with some code, then the same code comes back in the response, so this must be the Reflected XSS attack! The browser has no idea the code is always there and it's not in fact a Reflected XSS attack but will block it anyway.

🍌 Not supported in your browser but you can try

show the code

Example XSS Auditor report

This is how the report looked like:

{
  "xss-report": {
    "request-url": "<URL>",
    "request-body": "<post data, if any>"
  }
}