Clickjack Test – This checks a URL for the click-jacking vulnerability.
RSnake’s XSS Cheat Sheet – Useful page for coding and decoding XSS payloads and other things.
URL Encoding Reference – US ASCII Character Set.
Security and Fuzzing Lists
xss-script-variants.txt – This is a list of all variants for the <script> tag for XSS testing and Web Application Firewall bypass testing. It has all permutations of the <script> tag by ASCII text upper and lower case, Hex/URL, and some decimal for the <> tags.