> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# Cross-Site Scripting (XSS)

> Cross-platform resources for Cross-Site Scripting (XSS): curated HTB machines, PortSwigger labs and TryHackMe rooms with validated writeups and related skills.

# Cross-Site Scripting (XSS)

This page aggregates **cross-platform resources to practice Cross-Site Scripting (XSS)**: retired Hack The Box machines, PortSwigger Web Security Academy labs and TryHackMe rooms, plus curated resources (HackTricks, PortSwigger, etc.) and related skills.

## Curated resources

| Source      | Link                                                                                                                                                                     |
| ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| HackTricks  | [https://book.hacktricks.wiki/en/pentesting-web/xss-cross-site-scripting/index.html](https://book.hacktricks.wiki/en/pentesting-web/xss-cross-site-scripting/index.html) |
| PortSwigger | [https://portswigger.net/web-security/cross-site-scripting](https://portswigger.net/web-security/cross-site-scripting)                                                   |

## HTB machines practicing Cross-Site Scripting (XSS) (13)

| Machine                                                   | OS      | Difficulty                                           |
| --------------------------------------------------------- | ------- | ---------------------------------------------------- |
| [Anubis](/en/htb/machines/windows/insano/anubis)          | Windows | <span className="dbadge dbadge-insane">INSANE</span> |
| [Bankrobber](/en/htb/machines/windows/insano/bankrobber)  | Windows | <span className="dbadge dbadge-insane">INSANE</span> |
| [Book](/en/htb/machines/linux/medio/book)                 | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [CrossFit](/en/htb/machines/linux/insano/crossfit)        | Linux   | <span className="dbadge dbadge-insane">INSANE</span> |
| [EarlyAccess](/en/htb/machines/linux/dificil/earlyaccess) | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Holiday](/en/htb/machines/linux/dificil/holiday)         | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Nightmare](/en/htb/machines/linux/insano/nightmare)      | Linux   | <span className="dbadge dbadge-insane">INSANE</span> |
| [OverGraph](/en/htb/machines/linux/dificil/overgraph)     | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Quick](/en/htb/machines/linux/dificil/quick)             | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [RedCross](/en/htb/machines/linux/medio/redcross)         | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Schooled](/en/htb/machines/linux/medio/schooled)         | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [SecNotes](/en/htb/machines/windows/medio/secnotes)       | Windows | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Stacked](/en/htb/machines/linux/insano/stacked)          | Linux   | <span className="dbadge dbadge-insane">INSANE</span> |

## PortSwigger labs practicing Cross-Site Scripting (XSS) (36)

| Lab                                                                                                                                                                                                                                                                         | Difficulty                                                 | Topic                      | Official                                                                                                                                                                   |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [DOM XSS in document.write sink using source location.search](/en/portswigger/labs/cross-site-scripting/dom-based-document-write-sink)                                                                                                                                      | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink)                                                                        |
| [DOM XSS in innerHTML sink using source location.search](/en/portswigger/labs/cross-site-scripting/dom-based-innerhtml-sink)                                                                                                                                                | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-innerhtml-sink)                                                                             |
| [DOM XSS in jQuery anchor href attribute sink using location.search source](/en/portswigger/labs/cross-site-scripting/dom-based-jquery-href-attribute-sink)                                                                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-href-attribute-sink)                                                                 |
| [DOM XSS in jQuery selector sink using a hashchange event](/en/portswigger/labs/cross-site-scripting/dom-based-jquery-selector-hash-change-event)                                                                                                                           | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-selector-hash-change-event)                                                          |
| [Exploiting DOM clobbering to enable XSS](/en/portswigger/labs/dom-based/dom-clobbering-dom-xss-exploiting-dom-clobbering)                                                                                                                                                  | <span className="dbadge dbadge-easy">APPRENTICE</span>     | DOM-based Vulnerabilities  | [Open](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering)                                                                |
| [Reflected XSS in a JavaScript URL with some characters blocked](/en/portswigger/labs/cross-site-scripting/contexts-javascript-url-some-characters-blocked)                                                                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-url-some-characters-blocked)                                                      |
| [Reflected XSS into a JavaScript string with angle brackets HTML encoded](/en/portswigger/labs/cross-site-scripting/contexts-javascript-string-angle-brackets-html-encoded)                                                                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-angle-brackets-html-encoded)                                               |
| [Reflected XSS into attribute with angle brackets HTML-encoded](/en/portswigger/labs/cross-site-scripting/contexts-attribute-angle-brackets-html-encoded)                                                                                                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-attribute-angle-brackets-html-encoded)                                                       |
| [Reflected XSS into HTML context with nothing encoded](/en/portswigger/labs/cross-site-scripting/reflected-html-context-nothing-encoded)                                                                                                                                    | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded)                                                               |
| [Reflected XSS protected by CSP, with CSP bypass](/en/portswigger/labs/cross-site-scripting/content-security-policy-csp-bypass)                                                                                                                                             | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/content-security-policy/lab-csp-bypass)                                                                   |
| [Reflected XSS with event handlers and href attributes blocked](/en/portswigger/labs/cross-site-scripting/contexts-event-handlers-and-href-attributes-blocked)                                                                                                              | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-event-handlers-and-href-attributes-blocked)                                                  |
| [Stored XSS into anchor href attribute with double quotes HTML-encoded](/en/portswigger/labs/cross-site-scripting/contexts-href-attribute-double-quotes-html-encoded)                                                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-href-attribute-double-quotes-html-encoded)                                                   |
| [Stored XSS into HTML context with nothing encoded](/en/portswigger/labs/cross-site-scripting/stored-html-context-nothing-encoded)                                                                                                                                          | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded)                                                                  |
| [DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded](/en/portswigger/labs/cross-site-scripting/dom-based-angularjs-expression)                                                                                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)                                                                       |
| [DOM XSS in document.write sink using source location.search inside a select element](/en/portswigger/labs/cross-site-scripting/dom-based-document-write-sink-inside-select-element)                                                                                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink-inside-select-element)                                                  |
| [DOM XSS using web messages](/en/portswigger/labs/dom-based/controlling-the-web-message-source-dom-xss-using-web-messages)                                                                                                                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | DOM-based Vulnerabilities  | [Open](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages)                                                   |
| [DOM XSS using web messages and a JavaScript URL](/en/portswigger/labs/dom-based/controlling-the-web-message-source-dom-xss-using-web-messages-and-a-javascript-url)                                                                                                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | DOM-based Vulnerabilities  | [Open](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-a-javascript-url)                              |
| [DOM XSS using web messages and JSON.parse](/en/portswigger/labs/dom-based/controlling-the-web-message-source-dom-xss-using-web-messages-and-json-parse)                                                                                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | DOM-based Vulnerabilities  | [Open](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-json-parse)                                    |
| [DOM XSS via an alternative prototype pollution vector](/en/portswigger/labs/prototype-pollution/client-side-prototype-pollution-dom-xss-via-an-alternative-prototype-pollution-vector)                                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution        | [Open](https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-dom-xss-via-an-alternative-prototype-pollution-vector)                 |
| [DOM XSS via client-side prototype pollution](/en/portswigger/labs/prototype-pollution/client-side-prototype-pollution-dom-xss-via-client-side-prototype-pollution)                                                                                                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Prototype Pollution        | [Open](https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-dom-xss-via-client-side-prototype-pollution)                           |
| [Exploiting clickjacking vulnerability to trigger DOM-based XSS](/en/portswigger/labs/clickjacking/exploiting-to-trigger-dom-based-xss)                                                                                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Clickjacking               | [Open](https://portswigger.net/web-security/clickjacking/lab-exploiting-to-trigger-dom-based-xss)                                                                          |
| [Exploiting cross-site scripting to capture passwords](/en/portswigger/labs/cross-site-scripting/exploiting-capturing-passwords)                                                                                                                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-capturing-passwords)                                                                       |
| [Exploiting cross-site scripting to steal cookies](/en/portswigger/labs/cross-site-scripting/exploiting-stealing-cookies)                                                                                                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies)                                                                          |
| [Exploiting HTTP request smuggling to deliver reflected XSS](/en/portswigger/labs/request-smuggling/exploiting-deliver-reflected-xss)                                                                                                                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | HTTP Request Smuggling     | [Open](https://portswigger.net/web-security/request-smuggling/exploiting/lab-deliver-reflected-xss)                                                                        |
| [Exploiting XSS to bypass CSRF defenses](/en/portswigger/labs/cross-site-scripting/exploiting-perform-csrf)                                                                                                                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf)                                                                              |
| [Reflected DOM XSS](/en/portswigger/labs/cross-site-scripting/dom-based-dom-xss-reflected)                                                                                                                                                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-reflected)                                                                          |
| [Reflected XSS in canonical link tag](/en/portswigger/labs/cross-site-scripting/contexts-canonical-link-tag)                                                                                                                                                                | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-canonical-link-tag)                                                                          |
| [Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped](/en/portswigger/labs/cross-site-scripting/contexts-javascript-string-angle-brackets-double-quotes-encoded-single-quotes-escaped)                      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-angle-brackets-double-quotes-encoded-single-quotes-escaped)                |
| [Reflected XSS into a JavaScript string with single quote and backslash escaped](/en/portswigger/labs/cross-site-scripting/contexts-javascript-string-single-quote-backslash-escaped)                                                                                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-single-quote-backslash-escaped)                                            |
| [Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped](/en/portswigger/labs/cross-site-scripting/contexts-javascript-template-literal-angle-brackets-single-double-quotes-backslash-backticks-escaped) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-template-literal-angle-brackets-single-double-quotes-backslash-backticks-escaped) |
| [Reflected XSS into HTML context with all tags blocked except custom ones](/en/portswigger/labs/cross-site-scripting/contexts-html-context-with-all-standard-tags-blocked)                                                                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-all-standard-tags-blocked)                                                 |
| [Reflected XSS into HTML context with most tags and attributes blocked](/en/portswigger/labs/cross-site-scripting/contexts-html-context-with-most-tags-and-attributes-blocked)                                                                                              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-most-tags-and-attributes-blocked)                                          |
| [Reflected XSS protected by very strict CSP, with dangling markup attack](/en/portswigger/labs/cross-site-scripting/content-security-policy-very-strict-csp-with-dangling-markup-attack)                                                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/content-security-policy/lab-very-strict-csp-with-dangling-markup-attack)                                  |
| [Reflected XSS with some SVG markup allowed](/en/portswigger/labs/cross-site-scripting/contexts-some-svg-markup-allowed)                                                                                                                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-some-svg-markup-allowed)                                                                     |
| [Stored DOM XSS](/en/portswigger/labs/cross-site-scripting/dom-based-dom-xss-stored)                                                                                                                                                                                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-stored)                                                                             |
| [Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped](/en/portswigger/labs/cross-site-scripting/contexts-onclick-event-angle-brackets-double-quotes-html-encoded-single-quotes-backslash-escaped)      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS) | [Open](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-onclick-event-angle-brackets-double-quotes-html-encoded-single-quotes-backslash-escaped)     |

## TryHackMe rooms practicing Cross-Site Scripting (XSS) (10)

| Room                                                                   | Difficulty                                         | Type        | Access  | Official                                                  |
| ---------------------------------------------------------------------- | -------------------------------------------------- | ----------- | ------- | --------------------------------------------------------- |
| [25 Days of Cyber Security](/en/tryhackme/rooms/learncyberin25days)    | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/learncyberin25days)     |
| [Advent of Cyber 2 \[2020\]](/en/tryhackme/rooms/adventofcyber2)       | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/adventofcyber2)         |
| [Custom Tooling Using Python](/en/tryhackme/rooms/customtoolingpython) | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/customtoolingpython)    |
| [Intro to Cross-site Scripting](/en/tryhackme/rooms/xss)               | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🔵 VIP  | [Open](https://tryhackme.com/room/xss)                    |
| [Learn Rust](/en/tryhackme/rooms/rust)                                 | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/rust)                   |
| [OWASP Juice Shop](/en/tryhackme/rooms/owaspjuiceshop)                 | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/owaspjuiceshop)         |
| [Web Application Basics](/en/tryhackme/rooms/webapplicationbasics)     | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/webapplicationbasics)   |
| [XSS](/en/tryhackme/rooms/axss)                                        | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/axss)                   |
| [XSS - Merry XSSMas](/en/tryhackme/rooms/xss-aoc2025-c5j8b1m4t6)       | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/xss-aoc2025-c5j8b1m4t6) |
| [NahamStore](/en/tryhackme/rooms/nahamstore)                           | <span className="dbadge dbadge-easy">MEDIUM</span> | Challenge   | 🟢 Free | [Open](https://tryhackme.com/room/nahamstore)             |

## Related skills

* [/en/skills/sqli](/en/skills/sqli)
* [/en/skills/ssrf](/en/skills/ssrf)

***

← [Back to the full glossary](/en/glossary)

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"DefinedTerm","name":"Cross-Site Scripting (XSS)","termCode":"xss","inLanguage":"en","url":"https://rootea.es/en/skills/xss","inDefinedTermSet":{"@type":"DefinedTermSet","name":"Tactical pentesting glossary","url":"https://rootea.es/en/glossary"}}`}
</script>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"ItemList","name":"HTB machines practicing Cross-Site Scripting (XSS)","numberOfItems":13,"itemListElement":[{"@type":"ListItem","position":1,"url":"https://rootea.es/en/htb/machines/windows/insano/anubis","name":"Anubis"},{"@type":"ListItem","position":2,"url":"https://rootea.es/en/htb/machines/windows/insano/bankrobber","name":"Bankrobber"},{"@type":"ListItem","position":3,"url":"https://rootea.es/en/htb/machines/linux/medio/book","name":"Book"},{"@type":"ListItem","position":4,"url":"https://rootea.es/en/htb/machines/linux/insano/crossfit","name":"CrossFit"},{"@type":"ListItem","position":5,"url":"https://rootea.es/en/htb/machines/linux/dificil/earlyaccess","name":"EarlyAccess"},{"@type":"ListItem","position":6,"url":"https://rootea.es/en/htb/machines/linux/dificil/holiday","name":"Holiday"},{"@type":"ListItem","position":7,"url":"https://rootea.es/en/htb/machines/linux/insano/nightmare","name":"Nightmare"},{"@type":"ListItem","position":8,"url":"https://rootea.es/en/htb/machines/linux/dificil/overgraph","name":"OverGraph"},{"@type":"ListItem","position":9,"url":"https://rootea.es/en/htb/machines/linux/dificil/quick","name":"Quick"},{"@type":"ListItem","position":10,"url":"https://rootea.es/en/htb/machines/linux/medio/redcross","name":"RedCross"},{"@type":"ListItem","position":11,"url":"https://rootea.es/en/htb/machines/linux/medio/schooled","name":"Schooled"},{"@type":"ListItem","position":12,"url":"https://rootea.es/en/htb/machines/windows/medio/secnotes","name":"SecNotes"},{"@type":"ListItem","position":13,"url":"https://rootea.es/en/htb/machines/linux/insano/stacked","name":"Stacked"}]}`}
</script>

*Last updated: 2026-05-09*
