0:["$","$L3",null,{"buildId":"vo8fp0lEXtHJblDZCh3_H","assetPrefix":"","urlParts":["","zh","simulator"],"initialTree":["",{"children":[["locale","zh","d"],{"children":["simulator",{"children":["__PAGE__",{}]}]}]},"$undefined","$undefined",true],"initialSeedData":["",{"children":[["locale","zh","d"],{"children":["simulator",{"children":["__PAGE__",{},[["$L4",["$","$L5",null,{"locale":"zh"}],[["$","link","0",{"rel":"stylesheet","href":"/_next/static/css/db946c6771c71925.css","precedence":"next","crossOrigin":"$undefined"}]]],null],null]},[[null,[["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":[\"SoftwareApplication\",\"WebApplication\"],\"name\":\"XSS 模拟看板 — Stored / Reflected / DOM 攻击流交互演示\",\"url\":\"https://xss-playground.com/zh/simulator\",\"description\":\"在一个画面中分步可视化攻击者 input → 数据库 → 服务器 render → 浏览器 sink 全流程的交互式 XSS 模拟器。通过快捷键选择 payload，可在 sandbox iframe 内观察 alert、postMessage、表单提交、顶级导航等真实效果。\",\"inLanguage\":\"zh\",\"applicationCategory\":\"SecurityApplication\",\"applicationSubCategory\":\"EducationalApplication\",\"operatingSystem\":\"Any (web browser)\",\"browserRequirements\":\"Requires JavaScript. Designed for desktop ≥ 1120px.\",\"isAccessibleForFree\":true,\"offers\":{\"@type\":\"Offer\",\"price\":\"0\",\"priceCurrency\":\"USD\"},\"author\":{\"@type\":\"Person\",\"name\":\"Sangmook Kim\",\"url\":\"https://github.com/Kimsangmook\"},\"isPartOf\":{\"@type\":\"WebSite\",\"name\":\"XSS Playground\",\"url\":\"https://xss-playground.com/zh\"}}"}}],["$","$L6",null,{"parallelRouterKey":"children","segmentPath":["children","$7","children","simulator","children"],"error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L8",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":"$undefined","notFoundStyles":"$undefined"}]]],null],null]},[[null,["$","div",null,{"className":"layout","children":[["$","$L9",null,{"locale":"zh","dict":{"site":{"name":"XSS Playground","tagline":"复制即可测试的 XSS 场景集","description":"面向授权测试的公开安全测试平台，可检查 script 标签、事件处理器、javascript: URL、DOM sink、iframe 嵌入与 postMessage 风险。","keywords":["XSS 测试","iframe 安全","Web 安全","postMessage 校验","CSP","sandbox","DOM XSS","安全培训"]},"nav":{"home":"首页","simulator":"模拟器","learn":"学习笔记","forum":"论坛","github":"GitHub"},"home":{"aboutHeading":"About","aboutBody":["我是前端开发者 Sangmook Kim。本站不是某个产品专用的 PoC，而是供所有人验证自有或被授权服务的 XSS 防护的公开 playground。","每个场景都把真实浏览器风险拆成小型测试页面：script 标签、事件属性、javascript: URL、DOM sink、嵌入式 iframe、父页面消息通信、欺骗性 UI 和自动请求。","从场景卡片或详情页复制 HTML payload 或 iframe 代码，粘贴到自己的项目中，检查渲染结果与真实浏览器行为。"],"contact":"联系","intentHeading":"项目意图","intentBody":["XSS 防护不能只靠某个 HTML 过滤器名称或一行过滤规则完成。需要在真实浏览器中确认 iframe、消息、权限提示、自动请求和欺骗性 UI 到底能运行到什么程度。","本站不是攻击自动化工具，而是帮助开发者和安全团队在自有或授权服务中复现并检查渲染策略的清单。","所有代码片段都以复制到 dev / staging 环境为前提。若 HTML payload 执行或 iframe 场景可运行，就是需要排查的信号；若被阻止，则可以记录是哪条策略发挥了作用。"],"threatsHeading":"XSS 威胁地图","threatsIntro":"参考 Hacker101 CTF 的 XSS Playground 分类与 PortSwigger Web Security Academy 指南，本站将需要测试的风险整理如下。","threats":[{"title":"Reflected XSS","body":"查询参数、搜索词、错误消息等当前请求中的数据未经正确输出编码就被立即反射到 HTML 中。"},{"title":"Stored XSS","body":"评论、资料、文档正文等已保存的用户输入随后被其他用户以活动内容形式渲染。"},{"title":"DOM-based XSS","body":"客户端代码读取 location、hash、postMessage 等不可信值，并写入 innerHTML 或字符串计时器等危险 sink。"},{"title":"Filter / CSP bypass","body":"事件处理器、SVG/MathML、javascript: URL、编码与模板语法可能绕过薄弱黑名单或不完整 CSP。"},{"title":"Account abuse","body":"脚本一旦执行，就可以以用户权限发起请求、操纵页面，并利用该用户可访问的数据。"},{"title":"Phishing / exfiltration","body":"iframe、覆盖层、通知、剪贴板和 postMessage 可能诱导用户输入机密，或把可观察信息发送到外部。"}],"referencesHeading":"参考资料","references":[{"label":"Hacker101 CTF write-ups","href":"https://github.com/8r0wn13/hacker101_ctf"},{"label":"PortSwigger XSS overview","href":"https://portswigger.net/web-security/cross-site-scripting"},{"label":"PortSwigger XSS cheat sheet","href":"https://portswigger.net/web-security/cross-site-scripting/cheat-sheet"},{"label":"PayloadsAllTheThings XSS","href":"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md"}],"scenariosHeading":"场景","scenariosIntro":"按类别整理的攻击场景。可直接从卡片复制 HTML payload 或 embed 代码，也可进入详情页深入测试。","howToUseHeading":"使用方法","howToUseSteps":["打开目标场景页面。","从首页卡片或详情页复制 HTML payload 或 iframe 代码。","粘贴到自有服务（编辑器、笔记、wiki 等）并保存。","检查渲染、sandbox、CSP、postMessage 校验和实际浏览器行为。"],"warningTitle":"注意","warningBody":"请仅对您有权测试的服务进行测试。对第三方服务的试探可能违反相关计算机网络法规。","contributingHeading":"贡献 (Issues / PR)","contributingBody":["本项目采用 source-available 许可证。源代码公开供查看与贡献，但不允许 fork 后另行部署、镜像或用于商业服务。","欢迎提交想法、缺陷报告、翻译改进与新场景建议。请先在 Issue 中讨论方案；获得认可后可被加为 collaborator，直接在本仓库中创建分支并提交 PR，避免长期维护 fork。","完整政策见 LICENSE 与 CONTRIBUTING.md。"],"contributingLinks":[{"label":"提交 Issue","href":"https://github.com/Kimsangmook/xss-playground/issues/new/choose"},{"label":"Pull Requests","href":"https://github.com/Kimsangmook/xss-playground/pulls"},{"label":"CONTRIBUTING.md","href":"https://github.com/Kimsangmook/xss-playground/blob/main/CONTRIBUTING.md"},{"label":"LICENSE","href":"https://github.com/Kimsangmook/xss-playground/blob/main/LICENSE"}]},"scenarioPage":{"sandboxMatrix":"按 sandbox 策略的行为","policy":"策略","expectedResult":"预期结果","noSandbox":"无 sandbox","scriptsOnly":"sandbox=\"allow-scripts\"","fullSandbox":"sandbox=\"\" (最严)","sopBlocks":"此场景由 Same-Origin Policy 直接阻止，与 sandbox 无关。","works":"通过","blocked":"阻止","partial":"部分","actions":"执行","explanation":"说明","embedSnippet":"Embed 代码","embedSnippetDescription":"此代码使用专用嵌入页面。粘贴到您的服务后检查渲染或拦截行为。","embeddedBadge":"EMBEDDED","htmlSurfaceTitle":"HTML payload 测试","domSurfaceTitle":"DOM sink 测试","surfaceDescription":"该场景测试用户输入在 HTML/DOM 中的渲染方式，而非 iframe sandbox 行为。","sandboxPresetLabels":["无 sandbox (默认行为)","sandbox=\"\" (最严)","sandbox=\"allow-scripts\"","sandbox=\"allow-scripts allow-same-origin\"","sandbox=\"allow-scripts allow-top-navigation\"","sandbox=\"allow-scripts allow-forms allow-popups\""],"copySnippet":"复制","copied":"已复制"},"scenarios":{"script-tag-injection":{"title":"script tag injection","summary":"Check whether a raw script tag executes when user input is parsed as an HTML document."},"event-handler-attribute":{"title":"Event-handler attribute injection","summary":"Check whether on* attributes such as img onerror or details ontoggle survive filtering and execute."},"javascript-url":{"title":"javascript: URL protocol","summary":"Check whether javascript: remains in URL attributes such as href or action and executes on user interaction."},"svg-onload":{"title":"SVG / MathML onload payload","summary":"Check whether SVG, MathML namespaces, and event attributes bypass weak filters."},"dom-innerhtml-sink":{"title":"DOM innerHTML sink","summary":"Check whether location, hash, postMessage, or other untrusted values reach unsafe sinks such as innerHTML."},"top-redirect":{"title":"top.location forced redirect","summary":"Replace the entire parent window from inside an iframe. The classic test for sandbox allow-top-navigation.","body":{"actionLabels":{"tryTop":"window.top.location = url","tryAssign":"window.top.location.assign()","tryAnchor":" fake click","tryMetaRefresh":"meta refresh (same-origin only)","scheduleAuto":"Auto-fire in {n}s (phishing scenario)","clearLog":"Clear log"},"logMessages":{"checkTop":"window.top === window.self ? {value}","tryTopLog":"try: window.top.location = \"{target}\"","successNav":"call succeeded (page navigating shortly)","tryAssignLog":"try: window.top.location.assign(\"{target}\")","successPlain":"call succeeded","blocked":"blocked: {message}","tryAnchorLog":"try: fake click","anchorCalled":"click dispatched (navigation if allowed)","tryMetaLog":"try: insert meta http-equiv=\"refresh\" (same-origin only)","metaInserted":"meta refresh inserted","autoScheduled":"auto-redirect scheduled in {n}s"},"explanation":["Changing window.top.location is allowed by default even cross-origin. SOP does not protect this surface.","To block it, do not grant allow-top-navigation in sandbox. Even sandbox=\"allow-scripts\" is enough to block.","The attack value is high: right after the user clicks something inside a trusted service, the whole tab can be replaced by a phishing site."]}},"post-message":{"title":"postMessage spoofing","summary":"Send forged messages to the parent via parent.postMessage. If the parent skips event.origin validation, it can trust attacker-crafted payloads.","body":{"actionLabels":{"presetString":"plain string","presetAuth":"auth-style object","presetRouter":"router-style object","presetResize":"iframe-resize style object","presetScript":"script string (eval-trap probe)","clearLog":"Clear log"},"logMessages":{"sending":"parent.postMessage({data}, \"{target}\")","sent":"sent","sendFailed":"send failed: {message}"},"text":{"targetOriginLabel":"target origin","targetPlaceholder":"\"*\" or a specific origin"},"explanation":["postMessage is the intended cross-origin channel. SOP does not block it. Parent must validate event.origin rigorously.","If the parent runs iframe-resizer, a payment widget, the YouTube IFrame API, etc., mimicking their message format is a common attack pattern.","Defense: validate event.origin + message type/schema on the parent. In sandbox, only sandbox=\"\" (empty) actually blocks postMessage."]}},"phishing-form":{"title":"Fake login form (phishing)","summary":"Show a form that looks identical to the parent site's login UI and exfiltrate the credentials.","body":{"actionLabels":{"submit":"Sign in","clearLog":"Clear log"},"logMessages":{"captured":"captured credentials: email={email} password={password}","notice":"A real attack would send these via fetch / sendBeacon to an attacker server. (This PoC does not transmit anything.)"},"text":{"callout":"In a real attack this iframe would be placed inside the parent page to look like the service's own modal or login area. The user has no easy way to tell the domain is attacker.example. (Combined with the fullscreen overlay scenario, even more dangerous.)","formHeading":"Fake login form (free to draw anything inside its own origin)","emailLabel":"Email","passwordLabel":"Password","logsHeading":"Captured log","emailPlaceholder":"you@example.com"},"explanation":["The form inside the iframe is just a page on its own origin, so it can render any UI and POST values to its own server. SOP is irrelevant here.","Even sandbox=\"allow-scripts\" blocks form submit, but JS can still collect the values and fetch them out. Only sandbox=\"\" truly blocks JS.","The strongest mitigation is a host allowlist on iframe src. If only trusted hosts (YouTube/Vimeo) are allowed, this scenario does not even start."]}},"auto-download":{"title":"Auto-download trigger","summary":"Force a file download without any user click."},"popup-spam":{"title":"popup / window.open spam","summary":"Open new windows. Same-origin popups can host arbitrary phishing UI."},"autoplay-media":{"title":"Autoplay media / forced fullscreen","summary":"Autoplay sound video, call requestFullscreen, and observe what gets through."},"notification-permission":{"title":"Notification permission / push hijack","summary":"Trigger Notification.requestPermission so the attacker domain can later push notifications."},"clipboard-hijack":{"title":"Clipboard hijack","summary":"Intercept the copy event and overwrite clipboard contents."},"fullscreen-overlay":{"title":"Fullscreen overlay impersonation","summary":"Cover the parent page with a fake but pixel-perfect UI rendered inside the iframe.","body":{"actionLabels":{"showOverlay":"Show fake service overlay","tryRealFs":"Real fullscreen API","clearLog":"Clear log","login":"Sign in","closePoc":"(close PoC)"},"logMessages":{"tryFs":"try document.documentElement.requestFullscreen()","fsEntered":"entered fullscreen","blocked":"blocked: {message}"},"text":{"callout":"In a real attack the iframe itself is positioned as position:fixed; inset:0; via the parent's CSS. Because the iframe is its own origin, it can draw any UI inside, fooling users into believing they are on the real service.","overlayTitle":"Example Workspace — re-authentication required","overlayBody":"Please sign in again due to a security policy change. (This is a fake screen.)","emailLabel":"Email","passwordLabel":"Password"},"explanation":["How the iframe is laid out is the parent page's responsibility. If the service stretches arbitrary iframes to 100% width/height, visual impersonation is already possible.","The real fullscreen API requires a user gesture, but a plain DOM overlay with z-index:99999 works immediately with no gesture."]}},"history-pollution":{"title":"history.pushState pollution","summary":"Push a flood of history entries to wreck the parent's back-button behavior."},"sop-probe":{"title":"Same-Origin Policy probe (what is blocked)","summary":"Try to reach parent.document, parent.localStorage, parent cookies — confirm what SOP actually blocks."},"form-auto-submit":{"title":"Hidden form auto-submit (CSRF-style)","summary":"Submit a form to a third-party endpoint without user input."},"beacon-exfil":{"title":"sendBeacon / fetch exfiltration","summary":"Exfiltrate everything observable inside the iframe to an attacker server."},"csrf-image":{"title":"img tag GET request CSRF","summary":"The oldest CSRF: img.src to a state-changing GET endpoint sends cookies along."},"token-exfil":{"title":"Parent token / network exfiltration attempts","summary":"Multi-angle attempts to extract JWT, in-flight network, or storage from the parent. See exactly what SOP blocks and what slips through."},"parent-message-listener-probe":{"title":"Parent message-listener fingerprinting","summary":"Fire a wide range of postMessage payloads at the parent and observe responses or side effects."},"delayed-attack":{"title":"Delayed / auto-fire payload","summary":"Countdown via URL params, then auto-fire an action. Used to evade immediate user suspicion."},"chained-attack":{"title":"Chained attack (phishing + fullscreen + redirect)","summary":"Fullscreen fake UI → credential capture → top redirect to the real site to cover tracks.","body":{"actionLabels":{"start":"Start chained attack","reset":"Reset","login":"Sign in"},"logMessages":{"step1":"[1/3] show fullscreen fake service UI","step2":"[2/3] captured credentials: email={email} password={password}","step2Notice":"A real attack would exfiltrate via fetch/sendBeacon to an attacker server","step3":"[3/3] top-redirect to the real page to evade suspicion","redirectBlocked":"redirect blocked: {message}"},"text":{"overlayTitle":"Example Workspace","overlayBody":"Please sign in again due to a security policy change. (Fake PoC screen.)","emailLabel":"Email","passwordLabel":"Password"},"explanation":["Right after the iframe loads, a fullscreen overlay impersonates the service UI — the user still believes they are on the trusted site.","The user enters credentials → values flow to the iframe's own origin → attacker server receives them.","Immediately after capture, a top redirect to the real site happens; from the user perspective it looks like \"I signed in once\" and nothing more.","Every step relies only on cross-origin-allowed APIs. None of the steps require SOP to be broken.","Blocking step 1 alone breaks the chain — a host allowlist or a strict sandbox preventing arbitrary iframe embeds is the most effective single defense."]}}},"categories":{"html":"HTML Injection","dom":"DOM XSS","protocol":"URL / Protocol","context":"Context Breakout","file":"File Upload","content":"User Content","navigation":"Navigation","communication":"Communication","exfil":"Exfiltration","phishing":"Phishing","delayed":"Delayed / Chained","annoyance":"Annoyance","probe":"Probe"}}}],["$","main",null,{"className":"main","children":["$","$L6",null,{"parallelRouterKey":"children","segmentPath":["children","$7","children"],"error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L8",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":"$undefined","notFoundStyles":"$undefined"}]}]]}]],null],null]},[[[["$","link","0",{"rel":"stylesheet","href":"/_next/static/css/2e7f9f871f0db931.css","precedence":"next","crossOrigin":"$undefined"}]],["$","html",null,{"lang":"zh","children":[["$","head",null,{"children":["$","script",null,{"dangerouslySetInnerHTML":{"__html":"\ntry { if (window.self !== window.top) document.documentElement.classList.add('embed'); }\ncatch (e) { document.documentElement.classList.add('embed'); }\n"}}]}],["$","body",null,{"children":[["$","$L6",null,{"parallelRouterKey":"children","segmentPath":["children"],"error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L8",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":[["$","title",null,{"children":"404: This page could not be found."}],["$","div",null,{"style":{"fontFamily":"system-ui,\"Segoe UI\",Roboto,Helvetica,Arial,sans-serif,\"Apple Color Emoji\",\"Segoe UI Emoji\"","height":"100vh","textAlign":"center","display":"flex","flexDirection":"column","alignItems":"center","justifyContent":"center"},"children":["$","div",null,{"children":[["$","style",null,{"dangerouslySetInnerHTML":{"__html":"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}"}}],["$","h1",null,{"className":"next-error-h1","style":{"display":"inline-block","margin":"0 20px 0 0","padding":"0 23px 0 0","fontSize":24,"fontWeight":500,"verticalAlign":"top","lineHeight":"49px"},"children":"404"}],["$","div",null,{"style":{"display":"inline-block"},"children":["$","h2",null,{"style":{"fontSize":14,"fontWeight":400,"lineHeight":"49px","margin":0},"children":"This page could not be found."}]}]]}]}]],"notFoundStyles":[]}],[[["$","$La",null,{"src":"https://www.googletagmanager.com/gtag/js?id=G-S16JMWGEC5","strategy":"afterInteractive"}],["$","$La",null,{"id":"ga-init","strategy":"afterInteractive","children":"window.dataLayer = window.dataLayer || [];\nfunction gtag(){dataLayer.push(arguments);}\ngtag('js', new Date());\ngtag('config', 'G-S16JMWGEC5', { anonymize_ip: true });"}]],""]]}]]}]],null],null],"couldBeIntercepted":false,"initialHead":[null,"$Lb"],"globalErrorComponent":"$c","missingSlots":"$Wd"}]