## https://sploitus.com/exploit?id=9E6C9DD8-F4CB-5228-85F8-39DB229B426B
# PortSwigger Web Security Academy โ XSS Labs (All 30 Completed)
> Personal notes from completing every Cross-Site Scripting lab on [PortSwigger Web Security Academy](https://portswigger.net/web-security/cross-site-scripting).
> Documented for learning purposes as part of my web application security journey.
๐ **Full write-up:**https://medium.com/@sukansh.07/i-just-completed-all-30-portswigger-xss-labs-heres-everything-i-learned-1fcd7d92ab42*
๐ **LinkedIn:** https://www.linkedin.com/in/sukanshh/
---
## What's in This Repo
Each lab has its own note file covering:
- What the vulnerability is and where it lives
- The exact payload used
- The key concept or technique it teaches
The labs are grouped by theme below โ which I find more useful than going through them in order.
---
## Lab Index
### ๐ด Reflected & Stored XSS (Basics)
| # | Lab | Key Technique |
|---|-----|---------------|
| 1 | [Reflected XSS โ nothing encoded](labs/lab01-reflected-xss-basic.md) | `alert(1)` โ baseline |
| 2 | [Stored XSS โ nothing encoded](labs/lab02-stored-xss-basic.md) | Stored in comments, fires for every visitor |
---
### ๐ DOM-Based XSS
| # | Lab | Key Technique |
|---|-----|---------------|
| 3 | [DOM XSS via document.write()](labs/lab03-dom-xss-document-write.md) | Breaks out of `` attribute |
| 4 | [DOM XSS via innerHTML](labs/lab04-dom-xss-innerhtml.md) | `` โ `` doesn't work in innerHTML |
| 5 | [DOM XSS via jQuery href sink](labs/lab05-dom-xss-jquery-href.md) | `javascript:` scheme in anchor href |
| 6 | [DOM XSS via jQuery hashchange](labs/lab06-dom-xss-jquery-hashchange.md) | `$()` as HTML sink, iframe delivery |
| 10 | [DOM XSS via document.write in select](labs/lab10-dom-xss-select.md) | Closes `` to inject payload |
| 12 | [Reflected DOM XSS via eval()](labs/lab12-reflected-dom-xss-eval.md) | Backslash cancels server's own escaping |
| 13 | [Stored DOM XSS via replace()](labs/lab13-stored-dom-xss-replace.md) | `replace()` vs `replaceAll()` โ dummy `<>` trick |
---
### ๐ก Breaking Out of Attributes & JS Strings
| # | Lab | Key Technique |
|---|-----|---------------|
| 7 | [Reflected XSS in HTML attribute](labs/lab07-reflected-xss-attribute.md) | Close attribute with `"`, inject event handler |
| 8 | [Stored XSS in anchor href](labs/lab08-stored-xss-href.md) | `javascript:` needs no special chars |
| 9 | [Reflected XSS in JS string](labs/lab09-reflected-xss-js-string.md) | Close single-quoted JS string |
| 18 | [XSS in script block, quotes & backslash escaped](labs/lab18-xss-script-block-escape.md) | `` closes block regardless of JS context |
| 19 | [XSS in JS string, single quotes escaped](labs/lab19-xss-js-string-backslash.md) | Send `\` to neutralise server's escaping backslash |
| 20 | [Stored XSS in onclick, everything escaped](labs/lab20-stored-xss-onclick-entities.md) | HTML entities (`'`) decoded before JS runs |
| 21 | [XSS in template literal](labs/lab21-xss-template-literal.md) | `${}` interpolation โ no escaping needed |
---
### ๐ข WAF Bypass & Tag Injection
| # | Lab | Key Technique |
|---|-----|---------------|
| 14 | [XSS with most tags blocked](labs/lab14-xss-waf-body-onresize.md) | Fuzz with Intruder, iframe to trigger onresize |
| 15 | [XSS with all standard tags blocked](labs/lab15-xss-custom-tags.md) | Custom tags + tabindex + `#fragment` auto-focus |
| 16 | [XSS with some SVG allowed](labs/lab16-xss-svg-animatetransform.md) | `` โ SVG gaps in WAFs |
| 17 | [XSS in canonical link tag](labs/lab17-xss-canonical-link.md) | accesskey + onclick in `` in `` |
| 27 | [XSS with event handlers and href blocked](labs/lab27-xss-svg-animate.md) | SVG `` sets href dynamically at runtime |
---
### ๐ต AngularJS Sandbox Escapes
| # | Lab | Key Technique |
|---|-----|---------------|
| 11 | [DOM XSS in AngularJS expression](labs/lab11-angularjs-expression.md) | `{{$on.constructor('alert(1)')()}}` |
| 25 | [AngularJS sandbox escape without strings](labs/lab25-angularjs-no-strings.md) | `fromCharCode()` + `orderBy` filter evaluation |
| 26 | [AngularJS sandbox escape with CSP](labs/lab26-angularjs-csp.md) | `ng-focus` + `$event.composedPath()` + `#fragment` |
---
### ๐ฃ Real-World XSS Exploitation
| # | Lab | Key Technique |
|---|-----|---------------|
| 22 | [XSS to steal cookies](labs/lab22-xss-steal-cookies.md) | `fetch()` to Burp Collaborator โ requires no HttpOnly |
| 23 | [XSS to capture passwords](labs/lab23-xss-capture-passwords.md) | Fake form fields trigger browser autofill |
| 24 | [XSS to bypass CSRF](labs/lab24-xss-bypass-csrf.md) | Same-origin fetch reads CSRF token, submits request |
---
### โซ Advanced โ CSP Bypass, Dangling Markup, JS URL
| # | Lab | Key Technique |
|---|-----|---------------|
| 28 | [XSS in JS URL with chars blocked](labs/lab28-xss-js-url-throw.md) | `throw` + `onerror` as alternative execution path |
| 29 | [XSS with strict CSP โ dangling markup](labs/lab29-dangling-markup.md) | Unclosed `` closes a script block even inside a JS string. HTML entities decode before JS evaluates. Parse order unlocks a whole class of bypasses.
5. **XSS defeats CSRF completely.** CSRF tokens stop cross-site attacks. XSS gives you same-origin execution โ the token is just a `fetch()` away.
6. **CSP fails in multiple ways.** Whitelisted libraries (AngularJS), user input in the header, and overly strict policies that push you toward dangling markup instead.
7. **`HttpOnly` is not optional.** It's the difference between a cookie theft attack working and not working โ one flag.
---
## Structure
```
portswigger-xss-labs/
โโโ README.md
โโโ labs/
โโโ lab01-reflected-xss-basic.md
โโโ lab02-stored-xss-basic.md
โโโ ... (one file per lab)
```
---
## Disclaimer
These notes are for **educational purposes only**, documenting completed exercises on PortSwigger Web Security Academy โ a legal, sandboxed training platform designed for learning web security.
All techniques here should only ever be applied to systems you own or have explicit permission to test.
---
## Resources
- [PortSwigger Web Security Academy โ XSS](https://portswigger.net/web-security/cross-site-scripting)
- [PortSwigger XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
---
*If this helped you, consider giving it a โญ โ and feel free to open an issue if you spot anything wrong.*