XSS is all about practice. It requires a lot of time to print in the mind all vectors, payloads and tricks at our disposal. There are lots of XSS cases, each one requiring a different approach and construct to pop the alert box.
Thinking on that and following the previous XSS Test Page released with the blog post “The 7 Main XSS Cases Everyone Should Know“, a new set of XSS exercises was built to help with that practice both for beginners and advanced XSS testers, since the same XSS cases are useful to test and build new XSS vectors.
This new “workout” can be found in our XSS GYM.
At the time of this publishing there are 33 XSS cases, with some variations of the same cases to help with tests for automated tools or XSS polyglots. A link to solutions for all those 33 cases are in the end of this post.
XSS Gym Exercises
Injection in Title Tag
Injection in Noscript Tag
Injection in Style Tag
Filtered Injection Inside Event Handler
Injection in Regular Tags
Injection in Textarea Tag
Injection in Script Tag – Single Quote Delimiter
Injection in Script Tag – Double Quote Delimiter
Injection in Script Tag – Backticks Delimiter
Validated Injection in HTTP Reference
Injection in Iframe Tag
Injection in HTTP Header
Injection in HTML Comments
Filtered Injection in HTML Comments
Injection in Script Tag With Header
Injection in URL
Injection Bypassing CSP
Here we can see our Online XSS PoC Tool KNOXSS in what is today known as Flash Mode (a limited one) performing against the Gym:
— Brute Logic (@brutelogic) June 17, 2021
Solutions can be found here.