Your collected payloads from the XSS Training Lab
| Level | Challenge | Context | Defense | Status | Your Payloads |
|---|---|---|---|---|---|
| Level 1 | Hello, Reflected XSS | HTML Body | None | Unsolved | — |
| Level 2 | Stored XSS Guestbook | HTML Body (Stored) | None | Unsolved | — |
| Level 3 | Script Tag Blocked | HTML Body | <script> stripped | Unsolved | — |
| Level 4 | Attribute Injection | HTML Attribute | None | Unsolved | — |
| Level 5 | JavaScript Context | JS String | < > encoded | Unsolved | — |
| Level 6 | Event Handler Blocklist | HTML Body | 12 event handlers blocked | Unsolved | — |
| Level 7 | Case & Keyword Filter | HTML Body | Single-pass keyword strip | Unsolved | — |
| Level 8 | DOM-Based XSS | DOM (location.hash → innerHTML) | No server-side reflection | Unsolved | — |
| Level 9 | href Injection | href Attribute | javascript: blocked | Unsolved | — |
| Level 10 | CSP Bypass | HTML Body + CSP | script-src 'nonce' 'self' | Unsolved | — |
| Level 11 | Double Encoding | HTML Body | WAF decode + tag/handler/javascript: filter | Unsolved | — |
| Level 12 | Template Injection | Client-side template | All HTML tags stripped | Unsolved | — |
| Level 13 | postMessage XSS | DOM (postMessage → innerHTML) | No reflection, no form | Unsolved | — |
| Level 14 | SVG Upload XSS | Inline SVG | <script> stripped | Unsolved | — |
| Level 15 | Mutation XSS | DOMParser sanitizer + template render | Scripts + event handlers stripped (querySelectorAll) | Unsolved | — |
| Level 16 | Recursive Filter | HTML Body | Recursive keyword loop | Unsolved | — |
| Level 17 | The Polyglot | HTML + Attribute + JS | <script> stripped, " encoded | Unsolved | — |
| Level 18 | DOM Clobbering | HTML Body → window globals | <script>/handlers/javascript: stripped | Unsolved | — |
| Level 19 | Prototype Pollution → XSS | JSON merge → innerHTML | No direct HTML injection | Unsolved | — |
| Level 20 | Base Tag Injection | HTML Body (before scripts) | CSP nonce + self, <script>/handlers stripped | Unsolved | — |
| Level 21 | Dangling Markup | HTML Attribute | All execution vectors blocked | Unsolved | — |
| Level 22 | JSON Injection | JSON in <script> block | CSP nonce, < > Unicode-escaped | Unsolved | — |
| Level 23 | URL Scheme Bypass | a href attribute | <script>/handlers stripped, javascript: blocked | Unsolved | — |
| Level 24 | Blind XSS | Admin Panel (Stored) | No direct feedback | Unsolved | — |
| Level 25 | Unicode Normalization | HTML Body | Tags/handlers stripped, NFKC normalization | Unsolved | — |
| Level 26 | CSS Injection | <style> block | Tags/handlers stripped | Unsolved | — |
| Level 27 | window.name XSS | DOM (window.name → innerHTML) | No URL reflection | Unsolved | — |
| Level 28 | Header Injection | HTML Body (from request header) | No URL reflection | Unsolved | — |
| Level 29 | WebSocket XSS | WebSocket message → innerHTML | No HTTP input | Unsolved | — |
| Level 30 | Service Worker Hijack | navigator.serviceWorker.register | Requires JSONP chain | Unsolved | — |