Want to learn more about XSS attacks – well the best way is probably to try some yourself. Here are two sites that offer XSS games that allow you to test and improve your skills.
https://xss-game.appspot.com/
http://escape.alf.nu
One of my favorite strings to use in testing XSS when I am doing pen testing is the following:
<iframe src=//www.youtube.com/embed/dQw4w9WgXcQ></iframe>
It will add an embedded iframe for the youtube video Rick Roll. 🙂 Its always amusing to see all the places I can get a Rick Roll to appear.
BTW, to keep the link from rendering, I had to HTML endode < to <, and for good measure also change > to > and change the & in < to &.