🔁 Reflected XSS Lab — 50 Levels

Practice reflected XSS techniques across 50 progressively restrictive levels. No payload hints are shown. Goal: reflect input so that it executes alert(document.domain) or alert(window.origin) inside the rendered result to unlock the next level.

Level

Reflected input (this simulates URL parameter / form input that the server reflects back into the page):

Tip: 'Reflect' applies the server-side filter for the current level before rendering; 'Reflect Unsafe' bypasses the filter (useful for testing).

Current level filter: --

Progress: 1/50

Rendered page (sandboxed). When reflected payload executes alert(document.domain) or alert(window.origin), the lab will detect it and unlock the next level.

Locked levels cannot be selected. Use the lab to unlock them sequentially.

`, s => ``, s => ``, ]; // Define progressive server-side filters for each level (50 distinct filters) // Each filter is a function that takes input and returns the stored/reflected string. const filters = {}; // helper regex-safe const esc = s => String(s).replace(//g,'>'); for(let i=1;i<=TOTAL;i++){ // build different filters based on level number if(i===1) filters[i] = {name:'No filter', fn: s=>s}; else if(i===2) filters[i] = {name:'Escape < and >', fn: s=>esc(s)}; else if(i===3) filters[i] = {name:'Remove