https://github.com/povzayd/xss-labs
This is an intentionally vuln webpage designed to practice XSS.
https://github.com/povzayd/xss-labs
webpentesting xss xss-attacks xss-exploitation xss-injection xss-poc xss-vulnerability
Last synced: 4 months ago
JSON representation
This is an intentionally vuln webpage designed to practice XSS.
- Host: GitHub
- URL: https://github.com/povzayd/xss-labs
- Owner: povzayd
- License: mit
- Created: 2025-06-12T04:22:35.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2025-07-07T18:04:15.000Z (11 months ago)
- Last Synced: 2025-08-30T06:44:53.035Z (10 months ago)
- Topics: webpentesting, xss, xss-attacks, xss-exploitation, xss-injection, xss-poc, xss-vulnerability
- Language: HTML
- Homepage: https://povzayd.github.io/XSS-LABS/
- Size: 101 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
### π§ What is XSS (Cross-Site Scripting)?
**XSS (Cross-Site Scripting)** is a type of **security vulnerability** that allows an attacker to **inject malicious code (usually JavaScript)** into a website or web application. This code then **runs in the browser** of other users who visit the site.
---
### 𧨠Why is it dangerous?
Because it lets attackers:
* Steal cookies, session tokens, or personal data
* Trick users into clicking fake buttons or links (phishing)
* Deface the website or redirect users elsewhere
* Hijack user accounts or perform actions on their behalf
---
### π How does it happen?
It usually happens when a website:
1. **Takes user input** (like in a search box or comment field)
2. **Displays it back** on the page **without properly cleaning it**
3. So an attacker can input something like:
```html
alert('XSS')
```
and get xss triggered!
---
## π§ͺ XSS LAB β Complete XSS Vulnerability Training Ground
This project is a hands-on **web security lab** designed to help learners understand and exploit the three major types of **Cross-Site Scripting (XSS)** vulnerabilities:
π **Reflected**, ποΈ **Stored**, and π§ **DOM-Based XSS**.
---
### π Project Structure [TRY NOW!](https://povzayd.github.io/XSS-LABS)
The lab is divided into diffrent escalating levels of difficulty:
---
### βΎ Lab 1 β Beginner Level: Basic Injection
**Focus:** Introduces how unfiltered user input is executed as code.
* Users can enter simple scripts like:
```html
alert(87)
```
* Demonstrates:
* Basic **reflected XSS** (via query parameters or form input)
* **Stored XSS** (through input saved and re-displayed)
* A basic example of **DOM-based XSS**
* Suitable for beginners to understand how careless input handling results in direct script execution.
---
### βΎ Lab 2 β Intermediate Level: Context Breakout
**Focus:** Teaches bypassing more complex filters and escaping HTML contexts.
* Requires crafted payloads such as:
```html
">alert(87)
```
* Demonstrates:
* How XSS works when injection occurs inside HTML attributes, tags, or JS contexts
* DOM manipulation vulnerabilities where user input is processed via JavaScript (e.g., `location.hash`, `innerHTML`, `document.write`)
* Helps learners practice **breaking out of quotes, attributes, or tags** β simulating real-world attack scenarios.
---
### βΎ Lab 3 β Coming Soon
---
### π― Learning Objectives
By completing these labs, users will:
* Understand the **differences** between Reflected, Stored, and DOM-based XSS
* Learn to **identify vulnerable input/output handling**
* Gain hands-on experience with **payload crafting** and **context-based escaping**
* Improve awareness of **secure coding best practices**
---
### β οΈ Disclaimer
This lab is intended **strictly for educational purposes**.
Do not attempt these techniques on any live websites or systems without **explicit permission**.
---
### π€ Want to Contribute?
Weβre building this XSS Lab for learners, web security explorers, and curious minds β and **you** can help make it even better!
#### π§ How You Can Contribute:
* Add new XSS levels or challenges (Reflected / Stored / DOM-based)
* Suggest new payloads or bypass techniques
* Fix bugs or write better explanations
#### π οΈ Getting Started:
1. Fork the project on [GitHub](https://github.com/povzayd/XSS-LABS)
2. Make your changes
3. Submit a Pull Request
4. Weβll review and merge!
> π‘ No idea is too small. Whether itβs a typo fix or a new lab β every contribution counts.
---
### πΎ Built by web security explorers, For web security explorers
This project was crafted with βοΈ passion and π» precision by:
* **[Unass](https://github.com/una55)**
* **[Zaid](https://github.com/povzayd)**
We built this lab to help others **learn, break, and secure** β because the best way to defend the web is to understand how itβs broken.
> π Special thanks to the community of web security explorers and learners who inspire us to push boundaries, ask better questions, and share knowledge freely.
---
This project is licensed under the [](https://github.com/povzayd/XSS-LABS#MIT-1-ov-file) β feel free to use, modify, and share with proper attribution.
---