10 Websites to help you practice your XSS Hacking skills

Finding and exploiting security holes requires a lot of skill. If you want to write better code, you should regularly find vulnerabilities in other people’s apps or websites. I have compiled a list of Top 10 websites to practice XSS hacking to help you improve your mining ability. Websites are created so that you can learn how attackers exploit Cross-site Scripting vulnerabilities, which you can practice on those Web sites.

10 Websites to help you practice your XSS 4 Hacking skills

These XSS sites are all built based on real attack cases. One of those sites will help you learn the basics of Cross-site Scripting. And you can also challenge yourself with higher difficulty XSS sites. You can use these XSS sites to practice and test your skills, but can also use it to educate others about the importance of effective code security.

Note: If you use Chrome (or a Chromium-based browser) to perform XSS attacks, you may have to disable the XSS inspector with the following flag: –disable-xss-auditor.

Top 10 websites to practice Hack XSS skills

If you don’t pass the exercises, you can use the XSS-Freak automated attack tool that I introduced.

#1: Google XSS Game

Google XSS Game

In 2014, Google created a game that shows you how easy it is to exploit XSS vulnerabilities. It was released to spread security awareness and promote the bug bounty program. The game has 6 levels of increasing difficulty, Google XSS is very simple. All it requires is basic JavaScript knowledge and a bit of Python understanding. I’m not a security engineer but got to level 4 without looking for a solution. Sure, you can do it too.

#2: alert(1) to win

alert(1) to win

This challenge set was created by Erling Ellingsen in 2013. Similar to Google XSS, it has 8 difficulty levels to explore different aspects of Cross-site Scripting. Overall, the challenges are more difficult and require a bit more coding experience. The best part about this game is that you can immediately see the result of the code you enter and the output of the console. When you solve a level, you can see a list of other winners and their scores. Score based on payload time. The fewer characters in the XSS, the higher your order will be.

#3: prompt(1) to win

prompt(1) to win

Security researcher from Hong Kong known as filedescriptor created this XSS site in 2014, inspired by alert(1) to win. The site contains 20 challenges (4 of which are hidden challenges) and are harder than the two games I mentioned above. Similar to alert(1) to win, this game also shows you the results of your actions as you type the HTML code. However, it doesn’t show the console interface so you have to track down the error yourself. Note that the final levels of this site may not be beaten due to changes in browser engines.

#4: XSS Challenges by yamagata21

XSS Challenges by yamagata21

Yamagata’s XSS challenges is one of the oldest XSS games. Consisting of 19 stages starting from the most basic XSS exercises that have been around since 2008. Unlike the challenges above, this XSS site does not provide live results, has no live HTML output, and There is no server-side source code, so you have to do all the work yourself. Websites are built to be vulnerable to XSS attacks. This also means that you need to make sure the XSS protection in your browser is turned off. Also, note that some stages (e.g. 17 and 18) are no longer applicable and you cannot complete them because they require an old version of Internet Explorer to work.

#5: XSS Challenges by nopernik

XSS Challenges by nopernik

This challenge set was created by Alexander Korznikov (nopernik) in 2016 so it’s relatively new. Similar to yamagata’s game, it currently has 19 challenges but new challenges are always added over time, so the site will have some more challenges in the future. Like yamagata’s game, this is just a simple HTML page with basic JavaScript code and no additional Help. In this case, it is also important to disable the XSS filter from the client side. The higher challenges are not hidden, so you don’t have to find a way to access them. However, the challenges will be more difficult as no solution seems to be found online.

#6: XSS Polyglot Challenge

XSS Polyglot Challenge

The Polyglot Challenge is designed by filedescriptor from Hong Kong (author of prompt(1) to win) and it’s not for beginners. It requires you to code the payload that works in most contexts. The more contexts you can handle and the shorter the payload, the higher your ranking. Initially, this was a black box challenge: the author did not reveal the payload tested contexts. The author has already listed the contexts on the page now, so the challenge will be easier. For best results you should create these contexts on local server and test your payload there before sending payload.

#7: Vulnweb by Acunetix

Vulnweb by Acunetix

Vulnweb isn’t just about XSS vulnerabilities. It contains several applications with different technologies like PHP and ASP. Most of them are vulnerable to some form of XSS along with SQL Injection and many more attacks. This site was originally designed to help you test automated vulnerability scanners. Therefore, it is not designed as challenging XSS sites. Your challenge is to try to find the holes yourself. You can then use Acunetix to see how many vulnerabilities you’ve missed.

#8: OWASP WebGoat Project

OWASP WebGoat Project

The WebGoat project is an open source application that you need to download and run yourself. It helps you learn not only XSS vulnerability (including DOM-based XSS, less common) but many other types of security vulnerabilities.WebGoat is currently at version 8.0 and it is available for download (JAR file) ) or as a Docker image. In addition to WebGoat, there are several other similar OWASP projects, such as Juice Shop.

#9: Hack.me XSS Library

Hack.me XSS Library

The Hackme Community Project is a third-party code library. Anyone can upload code examples for others to practice. When you want to test your skills, Hackme creates a single user instance to work with. Hackme libraries are categorized by vulnerability types. The link provided above points to the XSS section of the library only. It includes a lot of different examples, both simple and complex ones. You can practice different types of XSS including stored XSS, reflected XSS, and DOM-based XSS.

#10: cure53 XSS Challenge Wiki

cure53 XSS Challenge Wiki

If my list is not enough for you, you can follow the XSS challenge wiki created by Cure53 and hosted on GitHub. Although it hasn’t been updated in a while, it still contains a list of various XSS hacking exercises. Most of the practice exercises described above are suggested. However, some XSS error sites no longer work.

Leave a Reply