In my 404 logs for my website, I noticed an automated attack attempting to compromise various URLs. My site is static, so no harm done, but one thing I noticed was an injection attempt with a script at z e d . x s s . h t (added spaces to prevent generating links to it).

The header of the script at that URL states: "This is a payload to test for Cross-site Scripting (XSS). It is meant to be used by security professionals and bug bounty hunters. If you believe that this payload has been used to attempt to compromise your service without permission, please contact us using https://xsshunter.com/contact."

Okay, so I attempt to load the URL, via Tor, as all my web traffic is. It redirects me to the Internet Archive for that page, and it's not even archived. I archive it. It then masks the contact email address on the page. I click on it. It directs me to a CloudFlare page saying that I have to enable JavaScript in order to unmask the email address.

So in order to report abuse of this XSS testing service I have to allow non-free CloudFlare malware to run on my computer. Nope.