XSS labs

xss.vulnlab.dev

Five labs covering the XSS detection surface tools care about: reflected and stored sinks, a DOM-only sink the server never sees, a strict-looking CSP that's bypassable via a same-origin JSONP endpoint, and a mutation XSS where a server-side regex sanitizer is defeated by client-side innerHTML reparse.

Labs

Reflected XSS Markup() / |safe

Search box echoes your query into the page without escaping.

Stored XSS (guestbook) Markup() / |safe

Comments are persisted and re-rendered as raw HTML for every visitor.

DOM-based XSS (location.hash → innerHTML) element.innerHTML

Pure client-side sink. No reflection through the server.

Reflected XSS behind a CSP that has a JSONP endpoint on-origin Markup() / |safe

CSP looks restrictive (script-src 'self') but same-origin /jsonp is a callback bypass.

Mutation XSS via innerHTML round-trip regex sanitizer + element.innerHTML round-trip

Regex sanitizer + client-side innerHTML reparse = parser-mode escape.

For tool builders

Source for every lab is published. Each lab page links to its own source via /source/<slug>. Each lab also exposes a JSON detection hint at /meta/<slug> (and an index at /meta/) describing what a scanner should produce — CWE, subtype, sinks, exploit examples, success markers, tags. Use it to benchmark your tool against ground truth.