๐Ÿงช XSS Lab Index โ€“ 30 Days to Master XSS

XSS Labs & Challenges by SudoHopeX

  1. LAB 01 - Practice Basic JavaScript Functions by SudoHopeX
  2. LAB 02 - Practice HTML & JS Payloads by SudoHopeX
  3. LAB 03 - XSS Challenge Lab by SudoHopeX
  4. LAB 04 - XSS Event Handler Lab
  5. LAB 05 - DOM Based XSS Lab
  6. LAB 06 - XSS Event Handler Lab 2 ( 60 Levels )
  7. LAB 07 - XSS Mixed Lab - Reflected/Stored/DOM/CSP/SVG/URL ( 50 Levels )
  8. LAB 08 - Reflected XSS Lab 2 ( 50 Levels )
  9. LAB 09 - Server Side (Stored ) Lab ( 20 Levels )

Other XSS Labs

  1. TryHackMe - TryHackMe Basic XSS Lab 01
  2. Portswigger LAB - Reflected XSS into HTML context with nothing encoded
  3. Portswigger LAB - Stored XSS into HTML context with nothing encoded
  4. Portswigger LAB - DOM XSS in document.write sink using source location.search
  5. Portswigger LAB - DOM XSS in innerHTML sink using source location.search
  6. Portswigger LAB - DOM XSS in jQuery anchor href attribute sink using location.search source
  7. Portswigger LAB - DOM XSS in jQuery selector sink using a hashchange event
  8. Portswigger LAB - Reflected XSS into attribute with angle brackets HTML-encoded
  9. Portswigger LAB - Stored XSS into anchor href attribute with double quotes HTML-encoded
  10. Portswigger LAB - Reflected XSS into a JavaScript string with angle brackets HTML encoded
  11. Portswigger LAB - DOM XSS in document.write sink using source location.search inside a select element
  12. Portswigger LAB - DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
  13. Portswigger LAB - Reflected DOM XSS
  14. Portswigger LAB - Stored DOM XSS
  15. Portswigger LAB - Reflected XSS into HTML context with most tags and attributes blocked
  16. Portswigger LAB - Reflected XSS into HTML context with all tags blocked except custom ones
  17. Portswigger LAB - Reflected XSS with some SVG markup allowed
  18. Portswigger LAB - Reflected XSS in canonical link tag
  19. Portswigger LAB - Reflected XSS into a JavaScript string with single quote and backslash escaped
  20. Portswigger LAB - Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
  21. Portswigger LAB - Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
  22. Portswigger LAB - Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
  23. Portswigger LAB - Exploiting cross-site scripting to steal cookies
  24. Portswigger LAB - Exploiting cross-site scripting to capture passwords
  25. Portswigger LAB - Exploiting XSS to bypass CSRF defenses
  26. Portswigger LAB - Reflected XSS with AngularJS sandbox escape without strings
  27. Portswigger LAB - Reflected XSS with AngularJS sandbox escape and CSP
  28. Portswigger LAB - Reflected XSS with event handlers and href attributes blocked
  29. Portswigger LAB - Reflected XSS in a JavaScript URL with some characters blocked
  30. Portswigger LAB - Reflected XSS protected by very strict CSP, with dangling markup attack
  31. Portswigger LAB - Reflected XSS protected by CSP, with CSP bypass

XSS Challenges

Hosted at: https://sudohopex.github.io/labs/xss/
Maintained by SudoHopeX | For education only โ€” Be ethical!