XSS Challenge

Execute alert('XSS') and alert(document.domain) to win!

What is this?

This is a XSS challenge made by y0n3uchy.

Please note that document.domain should be 'xss.challenge.training.hacq.me' when alert(document.domain) is executed.

Notes & Disclaimer

Some problems need user interaction, such as `onmouseover`, etc.

This is not a CTF; there's no FLAG and no prizes. All you can do is to enjoy alert.

You will see an popup saying "You win! :-)" when alert('XSS') or alert(document.domain) is executed successfully. I don't mind your sharing your writeup in public.


For Newbies

Baby XSS 01

Try to start learning XSS from here! This is a simple example of what we say Reflected XSS.

Baby XSS 02

Your next step is this one! This kind of XSS is called DOM-based XSS (or DbXSS, in short).

Baby XSS 03

This challenge seems to be more difficult than 01 & 02. (NOTE: I believe this needs user interaction.)

Baby XSS 04

Baby XSS 01 - 03 might be too easy for you, but you are still a baby until you solve this one :-)

Battle with Filters

No Alphabets and Digits

Sometimes we cannot inject any characters except for symbols --- like this.

No Parentheses

Defining and calling functions are fundamental skills for programmers. It means this challenge is too easy for them!

No Quotes

Single quote, double quote, and backquote are essential symbols to define a string. If you face an environment that restricts to use them, how will you do?

No Parentheses Again

Here comes stronger filters for parentheses!

Battle with Logic


The essense of escaping is replacing. So this is a good escaping, right? :-)

Battle with Content-Security-Policy

Reining the Web by Whitelisting

This page enables whitelist-based CSP. Can you bypass it?


Some young developers rely on eval() like this, though that is not what a good developer looks like ...

Mixed juice

As you know, server-side HTML generation by PHP is so handy and client-side templating by Vue.js is so rich. So, it is a almighty way to combine them!

Frustrating App

This application seems vulnerable, but it's difficult a little bit to write working PoC.