by y0n3uchy
This website includes some educational XSS challenges. Execute alert('XSS') and alert(document.domain) to win! Please note that document.domain should be 'xss.challenge.training.hacq.me' when alert(document.domain) is executed.
Baby XSS 01
Try to start learning XSS from here! This is a simple example of what we say Reflected XSS.
Baby XSS 02
Your next step is this one! This kind of XSS is called DOM-based XSS (or DbXSS, in short).
Baby XSS 03
This challenge seems to be more difficult than 01 & 02. (NOTE: I believe this needs user interaction.)
Baby XSS 04
Baby XSS 01 - 03 might be too easy for you, but you are still a baby until you solve this one :-)
No Alphabets and Digits
Sometimes we cannot inject any characters except for symbols --- like this.
No Parentheses
Defining and calling functions are fundamental skills for programmers. It means this challenge is too easy for them!
No Quotes
Single quote, double quote, and backquote are essential symbols to define a string. If you face an environment that restricts to use them, how will you do?
No Parentheses Again
Here comes stronger filters for parentheses!
Replacement
The essense of escaping is replacing. So this is a good escaping, right? :-)
Reining the Web by Whitelisting
This page enables whitelist-based CSP. Can you bypass it?
Calculator
Some young developers rely on eval() like this, though that is not what a good developer looks like ...
Mixed juice
As you know, server-side HTML generation by PHP is so handy and client-side templating by Vue.js is so rich. So, it is a almighty way to combine them!
Frustrating App
This application seems vulnerable, but it's difficult a little bit to write working PoC.