Cross-site scripting¶
APPRENTICE (🟢) – 9 LABS¶
🟢 LAB 1 - Reflected XSS into HTML context with nothing encoded ➜
🟢 LAB 2 - Stored XSS into HTML context with nothing encoded ➜
🟢 LAB 3 - DOM XSS in document.write sink using source location.search ➜
🟢 LAB 4 - DOM XSS in innerHTML sink using source location.search ➜
🟢 LAB 5 - DOM XSS in jQuery anchor href attribute sink using location.search ➜
🟢 LAB 6 - DOM XSS in jQuery selector sink using a hashchange event ➜
🟢 LAB 7 - Reflected XSS into attribute with angle brackets HTML-encoded ➜
🟢 LAB 8 - Stored XSS into anchor href attribute with double quotes HTML-encoded ➜
🟢 LAB 9 - Reflected XSS into a JavaScript string with angle brackets HTML-encoded ➜
PRACTITIONER (🟡) – 15 LABS¶
🟡 LAB 10 - DOM XSS in document.write sink using location.search inside a select element ➜
🟡 LAB 11 - DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded ➜
🟡 LAB 12 - Reflected DOM XSS ➜
🟡 LAB 13 - Stored DOM XSS ➜
🟡 LAB 14 - Reflected XSS into HTML context with most tags and attributes blocked ➜
🟡 LAB 15 - Reflected XSS into HTML context with all tags blocked except custom ones ➜
🟡 LAB 16 - Reflected XSS with some SVG markup allowed ➜
🟡 LAB 17 - Reflected XSS in canonical link tag ➜
🟡 LAB 18 - Reflected XSS into a JavaScript string with single quote and backslash escaped ➜
🟡 LAB 22 - Exploiting cross-site scripting to steal cookies ➜
🟡 LAB 23 - Exploiting cross-site scripting to capture passwords ➜
🟡 LAB 24 - Exploiting XSS to bypass CSRF defenses ➜
EXPERT (🔴) – 6 LABS¶
🔴 LAB 25 - Reflected XSS with AngularJS sandbox escape without strings ➜
🔴 LAB 26 - Reflected XSS with AngularJS sandbox escape and CSP ➜
🔴 LAB 27 - Reflected XSS with event handlers and href attributes blocked ➜
🔴 LAB 28 - Reflected XSS in a JavaScript URL with some characters blocked ➜
🔴 LAB 29 - Reflected XSS protected by very strict CSP, with dangling markup attack ➜
🔴 LAB 30 - Reflected XSS protected by CSP, with CSP bypass ➜