Google has created the Gruyere project as a means to test web application exploits and defenses .The Gruyere project website has several vulnerabilities embedded into it, including XSS. You can run your own Gruyere project online, or you can download it to a local machine for your testing.

Once we were logged into our own instance of Gruyere, we were able to copy the previous string into the username input field and clicked the Submit button. The following screenshot shows the Gruyere home page with the CHAOS script displayed.

The string used in input field is as follows:

CHAOS<script>alert('www.DrChaos.com')</script> ...