Educational Purpose Only — Practice only on systems you own or have explicit written permission to test.

XSS Playground

Learn Cross-Site Scripting (XSS) scenarios through hands-on practice. Progress through 4 levels of increasing difficulty.

Level 1: No Filters

This search page reflects user input directly into the response without any sanitization.

Objective:

Execute a JavaScript alert box to prove XSS vulnerability.

Enter your payload:

Live PreviewSandbox Environment

Understanding This Scenario

Reflected XSS occurs when user input is immediately returned by the server in the response. In this case, the search query is displayed on the page without any encoding, allowing security testers to inject malicious scripts. This is dangerous because: 1. The payload is not stored - it's delivered via a crafted URL 2. Security Testers can trick users into clicking malicious links 3. Can extract session cookies, credentials, or perform actions as the user

OWASP XSS Prevention Cheat Sheet

Challenge Progress0/4