XSS is all about practice. It requires a lot of time to print in the mind all vectors, payloads and tricks at our disposal. There are lots of XSS cases, each one requiring a different approach and construct to pop the alert box.
Thinking on that and following the previous XSS Test Page released with the blog post “The 7 Main XSS Cases Everyone Should Know“, a new set of XSS exercises was built to help with that practice both for beginners and advanced XSS testers, since the same XSS cases are useful to test and build new XSS vectors.
This new “workout” can be found in our XSS GYM.
At the time of this publishing there are 33 XSS cases, with some variations of the same cases to help with tests for automated tools or XSS polyglots. A link to solutions for all those 33 cases are in the end of this post.
XSS Gym Exercises
Exercise 01
Injection in Title Tag
Exercise 02
Injection in Noscript Tag
Exercise 03
Injection in Style Tag
Exercise 04
Filtered Injection Inside Event Handler
Exercise 05
Injection in Regular Tags
Exercise 06
Injection in Attribute Value – Double Quote Delimiter
Exercise 07
Injection in Attribute Value – Single Quote Delimiter
Exercise 08
Filtered Injection in Attribute Value – Double Quote Delimiter
Exercise 09
Filtered Injection in Attribute Value – Single Quote Delimiter
Exercise 10
Injection in Textarea Tag
Exercise 11
Injection in Script Tag – Single Quote Delimiter
Exercise 12
Injection in Script Tag – Double Quote Delimiter
Exercise 13
Injection in Javascript Variable – Single Quote Delimiter
Exercise 14
Injection in Javascript Variable – Double Quote Delimiter
Exercise 15
Filtered Injection in Javascript Variable – Single Quote Delimiter
Exercise 16
Filtered Injection in Javascript Variable – Double Quote Delimiter
Exercise 17
Injection in Script Tag – Backticks Delimiter
Exercise 18
Injection in Javascript Variable – Backticks Delimiter
Exercise 19
Filtered Injection in Javascript Variable – Backticks Delimiter
Exercise 20
Filtered Injection in Javascript Variable – Backticks Delimiter
Exercise 21
Validated Injection in HTTP Reference
Exercise 22
Injection in Iframe Tag
Exercise 23
Injection in HTTP Header
Exercise 24
Filtered Double Injection in Javascript Variable
Exercise 25
Injection in Javascript DOM – Document Sink
Exercise 26
Injection in Javascript DOM – Location Sink
Exercise 27
Injection in Javascript DOM – Execution Sink
Exercise 28
Injection in HTML Comments
Exercise 29
” target=”_blank” rel=”noopener”>Filtered Injection in HTML Comments
Exercise 30
Filtered Injection in Javascript DOM – Document Sink
Exercise 31
Injection in Script Tag With Header
Exercise 32
Injection in URL
Exercise 33
Injection Bypassing CSP
Here we can see our Online XSS PoC Tool KNOXSS in what is today known as Flash Mode (a limited one) performing against the Gym:
Initial tests of our upcoming (new blog post) and definitive Brute #XSS Polyglots in our brand new XSS Gym! 😎https://t.co/yVImkw5sG8
Powered by @KN0X55 pic.twitter.com/Ekrz3xTeAy
— Brute Logic (@brutelogic) June 17, 2021
Have fun!
Solutions can be found here.
#hack2learn