Finding and proving application security vulnerabilities requires a lot of skill. However, many of them are easy to exploit. If you want to write better code, you should know how others may prey on your mistakes. We compiled a Top-10 list of web applications that were intentionally made vulnerable to Cross-site Scripting (XSS). They were created so that you can learn in practice how attackers exploit Cross-site Scripting vulnerabilities by testing your own malicious code.

The sites in this Top-10 list are practical hacking challenges or collections of such challenges. Some of them are simple and help you learn the basics of Cross-site Scripting. Others present more difficult security flaw challenges for seasoned engineers. You may use this list to practice and test your skills but you may also use it to educate others about how important it is to effectively protect code.

Frequently asked questions

Cross-site scripting (XSS) is a type of vulnerability where the code sent by the attacker is executed back in the user’s browser. The malicious code is written in a scripting language, usually JavaScript.

Learn more about cross-site scripting in general.

There are three primary types of cross-site scripting vulnerabilities. Stored (persistent) XSS happens when an attacker injects malicious code into the target application – when victims visit the page, their browsers execute this code. Reflected (non-persistent) XSS happens when an attacker uses a malicious phishing link and malicious code is executed as part of the response from the server. DOM XSS happens within the Document Object Model (DOM) of the browser, often with no information sent to the server.

Learn more about the types of cross-site scripting.

It is completely legal to practice cross-site scripting on sites that are dedicated for that purpose. In this article, you can learn about the most popular sites that are intentionally vulnerable. You can also install your own local vulnerable applications such as bWAPP, OWASP Juice Shop, or DVWA and use them to practice.

If you want to see how Acunetix scans vulnerable applications, find out how to configure it with bWAPP.

The best way for someone with programming or administration knowledge to become a white-hat hacker at the moment is to learn on your own by reading a lot on the web and practicing. You will find a lot of educational articles on the Acunetix site and the Acunetix blog.

Learn why white-hat hackers are very important to IT security.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.