XSS 漏洞练习靶场，覆盖反射型、存储型、DOM 型、SVG、CSP、框架注入、协议绕过等多种场景

工具介绍

XSS-Sec 靶场项目是一个以"实战为导向"的 XSS 漏洞练习靶场，覆盖反射型、存储型、DOM 型、SVG、CSP、框架注入、协议绕过等多种场景。页面样式统一，逻辑清晰，适合系统化学习与教学演示。

关卡总览（名称与简介）

• Level 1: Reflected XSS --- The basics.

• Level 2: DOM-based XSS --- Client-side manipulation.

• Level 3: Stored XSS --- Persistent payloads.

• Level 4: Attribute Breakout --- Escape the attribute.

• Level 5: Filter Bypass --- No allowed.

• Level 6: Quote Filtering --- Break out of single quotes.

• Level 7: Keyword Removal --- Double write bypass.

• Level 8: Encoding Bypass --- HTML entities are your friend.

• Level 9: URL Validation --- Must contain http://

• Level 10: Protocol Bypass --- Case sensitivity matters.

• Level 11: JS Context --- Break out of JS string.

• Level 12: DOM XSS via Hash --- The server sees nothing.

• Level 13: Frontend Filter --- Bypass the regex.

• Level 14: Double Encoding --- Double the trouble.

• Level 15: Framework Injection --- AngularJS Template Injection.

• Level 16: PostMessage XSS --- Talk to the parent.

• Level 17: CSP Bypass --- Strict CSP? Find a gadget.

• Level 18: Anchor Href XSS --- Stored XSS in href.

• Level 19: DOM XSS in Select --- Break out of select.

• Level 20: jQuery Anchor XSS --- DOM XSS in jQuery attr().

• Level 21: JS String Reflection --- Reflected XSS in JS string.

• Level 22: Reflected DOM XSS --- Server reflection + Client sink.

• Level 23: Stored DOM XSS --- Replace only once.

• Level 24: WAF Bypass (Tags/Attrs) --- Reflected XSS with strict WAF.

• Level 25: SVG Animate XSS --- SVG-specific vector bypass.

• Level 26: Canonical Link XSS --- Escaping single quotes issue.

• Level 27: Stored XSS in onclick --- Entities vs escaping pitfall.

• Level 28: Template Literal XSS --- Reflected into JS template string.

• Level 29: Cookie Exfiltration --- Stored XSS steals session cookie.

• Level 30: Angular Sandbox Escape --- No strings, escape Angular sandbox.

• Level 31: AngularJS CSP Escape --- Bypass CSP and escape Angular sandbox.

• Level 32: Reflected XSS (href/events blocked) --- Bypass via SVG animate to set href.

• Level 33: JS URL XSS (chars blocked) --- Reflected XSS in javascript: URL with chars blocked.

• Level 34: CSP Bypass (report-uri token) --- Chrome-only CSP directive injection via report-uri.

• Level 35: Upload Path URL XSS --- Independent lab: upload HTML, random rename, URL concat XSS.

• Level 36: Hidden Adurl Reflected XSS --- Independent lab: hidden ad anchor reflects adurl/adid.

• Level 37: Data URL Base64 XSS --- Blacklist filter; must use data:text/html;base64 in object.

• Level 38: PDF Upload XSS --- Independent lab: upload PDF, view opens HTML-in-PDF causing XSS.

• Level 39: Regex WAF Bypass --- src/="data:..." bypasses WAF regex.

• Level 40: Bracket String Bypass --- href reflects; use window["al"+"ert"] to evade WAF.

• Level 41: Fragment Eval/Window Bypass --- Echo HTML; split strings then eval or window[a+b].

• Level 42: Login DB Error XSS --- Independent lab: invalid DB shows error, SQL reflects username.

• Level 43: Chat Agent Link XSS --- Independent lab: chat echoes, agent clicks user link executes.

• Level 44: CSS Animation Event XSS --- Strong WAF: only @keyframes+xss onanimationend allowed.

• Level 45: RCDATA Textarea Breakout XSS --- Strong WAF: only textarea/title RCDATA breakout works.

• Level 46: JS String Escape (eval) --- theme string injection; escape with eval(myUndefVar); alert(1);

• Level 47: Throw onerror comma XSS --- Strong WAF: only throw οnerrοr=alert,cookie

• Level 48: Symbol.hasInstance Bypass --- Strong WAF: only instanceof+eval chain

• Level 49: Video Source onerror XSS --- Strong WAF: only video source onerror

• Level 50: Bootstrap RealSite XSS --- Independent site: only xss onanimationstart

工具下载

https://github.com/duckpigdog/XSS-Sec