Free XSS Labs — Practice Cross-Site Scripting
Hands-on cross-site scripting labs running entirely in your browser. Cover every major XSS variant attackers use in real bug bounties — reflected, stored, DOM-based, attribute-context, and sanitiser-bypass cases. No VM setup, no signup required to play, free forever.
Cross-site scripting remains the most-reported web vulnerability in bug bounty programs year after year. These labs walk you through the exact patterns you'll encounter on real targets — from a simple search-box reflection to attribute-quote-breakouts and SVG-based sanitiser bypasses. Each lab tracks your time-to-solve and rewards XP on completion. Start with the beginner labs to learn the fundamentals, then move to intermediate variants that mirror what bug bounty hunters actually find in production today.
Reflected XSS — Search Box
BookShop's search box echoes your query back into the page without sanitisation. Find a way to make the page execute arbitrary JavaScript.
Stored XSS — Blog Comment
DevBlog stores comments and renders them on every page view. Plant a payload that fires every time the comments load — not just for you, but for everyone who visits.
DOM XSS — Search Highlighter
QuickDocs reads the URL fragment to highlight search terms in the article. The server never sees the fragment — but the client renders it. Find the DOM-based XSS.
Reflected XSS — Attribute Context
ProfileMe reflects your name into the `value` attribute of an input field. Angle brackets are escaped so a normal <img onerror> payload won't work. Find a way to break out anyway.
Reflected XSS — SVG Sanitiser Bypass
ProfilePics renders user-supplied SVG as an avatar. The sanitiser strips <script> tags but leaves SVG event-handler attributes intact. Find a payload that fires.