I built xss-labs, a free, open-source collection of 39 interactive XSS challenges. It runs entirely in your browser with no server and no setup required. It is perfect for developers, penetration testers, and anyone preparing for PortSwigger, TryHackMe, or bug bounty programs. The live demo is available at yogsec.github.io/xss-labs and the GitHub repository is at github.com/yogsec/xss-labs.
Why Another XSS Lab
Cross-Site Scripting (XSS) remains number seven on the OWASP Top 10, and it continues to be a widespread vulnerability. The main reason is that developers still trust user input without proper sanitization.
The problem with most XSS tutorials is that they focus only on theory. Many require setting up a vulnerable virtual machine or a backend environment. They also fail to show real injection points across different contexts.
I wanted something different. I wanted a resource where you could open a URL and start hacking immediately without any installation. I wanted every major XSS vector covered, including reflected, stored, DOM-based, and event handler injections. I also wanted solutions included so learners understand why a particular payload works.
