EncryptCodecencryptcodec
Simulations/Cross-Site Scripting

Cross-Site Scripting (XSS)

Beginner

This comment board reflects whatever you post directly into the page. Inject JavaScript, bypass filters, and steal the session cookie — then see what actually stops XSS.

Progress:
1
Basic Script Injection
2
Bypass the Script Filter
3
Steal the Session Cookie
Server-side filter
Raw HTML inserted directly into the DOM
devforum.io/thread/jwt-security
dan_r2h ago
Anyone else using Argon2id for password hashing in 2025? bcrypt feels outdated.
mia_sec1h ago
Just migrated our JWT from HS256 to RS256 — signing is slower but verification is way faster at scale.
priya_k45m ago
Quick tip: always set HttpOnly + Secure + SameSite=Strict on session cookies.
Attack console
04:13:47 DevForum comment system initialised. Waiting for input…
Victim's document.cookie
session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWxpY2UiLCJyb2xlIjoidXNlciJ9

Challenges

1
Basic Script Injectionfilter: none
Post a comment that executes JavaScript. Use the 'No filter' mode.
hints
2
Bypass the Script Filterfilter: script-strip
Execute JavaScript after switching to 'Script strip' mode (which removes <script> tags).
hints
3
Steal the Session Cookiefilter: none
Exfiltrate the victim's session cookie to an external server.
hints
How to fix XSS
Output encoding, CSP, and DOMPurify

Frequently Asked Questions