Progressive challenges — exploit each level to unlock harder defenses
alert('XSS') (or any JS) in your browser.No filters, no encoding. Your input is reflected directly into the page. The classic starting point.
Start ChallengeYour input is stored and rendered for all visitors. Classic persistent XSS.
Start ChallengeThe server strips <script> tags. Find another way to execute JavaScript.
Start ChallengeYour input lands inside an HTML attribute. Break out and execute code.
Start ChallengeYour input is placed inside a JavaScript string variable. Escape and inject.
Start ChallengeCommon event handlers (onerror, onload, onclick, etc.) are blocked. Find an obscure one.
Start ChallengeAggressive filter blocks script, alert, onerror (case-insensitive) and strips them. Use encoding or alternative functions.
Start ChallengeNo server reflection. The vulnerability is entirely in client-side JavaScript reading from the URL.
Start ChallengeYour input goes into an anchor href. The filter blocks <script>, event handlers, and the word "javascript". Find a way.
Start ChallengeA Content-Security-Policy is in place. Find a way to execute JavaScript despite the policy.
Start ChallengeThe server URL-decodes then filters. But decoding happens more than once in the pipeline...
Start ChallengeAll HTML tags are stripped. But a client-side template engine evaluates {{expressions}}.
Start ChallengeNo forms, no reflection. The page listens for cross-window messages with no origin check.
Start ChallengeUpload SVG images that are rendered inline. Script tags are stripped, but SVGs have their own tricks.
Start ChallengeA client-side sanitizer strips scripts and event handlers. But the browser's parser may mutate HTML after sanitization.
Start ChallengeThe filter loops until nothing changes. Nesting tricks are dead. Think about alternative execution contexts.
Start ChallengeYour input appears in three contexts at once: HTML body, attribute, and JavaScript string. Find the weakest link.
Start ChallengeScripts and event handlers are blocked. But the page reads global variables that HTML elements can overwrite.
Start ChallengeNo HTML injection. Your JSON input is merged into a config object. Pollute the prototype chain to achieve XSS.
Start ChallengeCSP is in place. Scripts and handlers are blocked. But the page loads scripts via relative URLs and you inject before them.
Start ChallengeAll execution vectors are blocked. But a CSRF token is nearby. Exfiltrate it without executing any JavaScript.
Start ChallengeYour input lands inside a JSON object within a nonced script tag. Angle brackets are escaped. But are quotes?
Start ChallengeYour URL goes into an anchor href. Scripts, handlers, and javascript: are blocked. But the browser decodes HTML entities...
Start ChallengeSubmit feedback to the admin. You won't see your payload execute, but the admin might.
Start ChallengeThe server filters dangerous characters, then normalizes the text using NFKC. Can you bypass the filter?
Start ChallengeStandard scripts are blocked, but you control a style block. Can you exfiltrate a secret token using only CSS?
Start ChallengeThe page doesn't reflect the URL. But the client-side script reads window.name. Can you smuggle a payload across origins?
The server tracks where you came from. Can you inject a payload via an HTTP header instead of the URL?
Start ChallengeThis chat app receives messages via WebSockets. Can you exploit the real-time message rendering?
Start ChallengeRegister a Service Worker to intercept all requests. Requires chaining with a JSONP endpoint.
Start Challenge