Training XSS Muscles

XSS is all about practice. It requires a lot of time to print in the mind all vectors, payloads and tricks at our disposal. There are lots of XSS cases, each one requiring a different approach and construct to pop the alert box.

Thinking on that and following the previous XSS Test Page released with the blog post “The 7 Main XSS Cases Everyone Should Know“, a new set of XSS exercises was built to help with that practice both for beginners and advanced XSS testers, since the same XSS cases are useful to test and build new XSS vectors.

This new “workout” can be found in our XSS GYM.

 

At the time of this publishing there are 33 XSS cases, with some variations of the same cases to help with tests for automated tools or XSS polyglots. A link to solutions for all those 33 cases are in the end of this post.

 

XSS Gym Exercises

Exercise 01
Injection in Title Tag

Exercise 02
Injection in Noscript Tag

Exercise 03
Injection in Style Tag

Exercise 04
Filtered Injection Inside Event Handler

Exercise 05
Injection in Regular Tags

Exercise 06
Injection in Attribute Value – Double Quote Delimiter

Exercise 07
Injection in Attribute Value – Single Quote Delimiter

Exercise 08
Filtered Injection in Attribute Value – Double Quote Delimiter

Exercise 09
Filtered Injection in Attribute Value – Single Quote Delimiter

Exercise 10
Injection in Textarea Tag

Exercise 11
Injection in Script Tag – Single Quote Delimiter

Exercise 12
Injection in Script Tag – Double Quote Delimiter

Exercise 13
Injection in Javascript Variable – Single Quote Delimiter

Exercise 14
Injection in Javascript Variable – Double Quote Delimiter

Exercise 15
Filtered Injection in Javascript Variable – Single Quote Delimiter

Exercise 16
Filtered Injection in Javascript Variable – Double Quote Delimiter 

Exercise 17
Injection in Script Tag – Backticks Delimiter

Exercise 18
Injection in Javascript Variable – Backticks Delimiter

Exercise 19
Filtered Injection in Javascript Variable – Backticks Delimiter

Exercise 20
Filtered Injection in Javascript Variable – Backticks Delimiter

Exercise 21
Validated Injection in HTTP Reference

Exercise 22
Injection in Iframe Tag

Exercise 23
Injection in HTTP Header

Exercise 24
Filtered Double Injection in Javascript Variable

Exercise 25
Injection in Javascript DOM – Document Sink

Exercise 26
Injection in Javascript DOM – Location Sink

Exercise 27
Injection in Javascript DOM – Execution Sink

Exercise 28
Injection in HTML Comments

Exercise 29
Filtered Injection in HTML Comments

Exercise 30
Filtered Injection in Javascript DOM – Document Sink

Exercise 31
Injection in Script Tag With Header

Exercise 32
Injection in URL

Exercise 33
Injection Bypassing CSP

 

Here we can see our Online XSS PoC Tool KNOXSS in what is today known as Flash Mode (a limited one) performing against the Gym:

 

Have fun!

Solutions can be found here.

#hack2learn