No description, website, or topics provided.
Clone or download
Latest commit 0c2a701 Dec 20, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
media Initial commit Dec 20, 2018
scripts Initial commit Dec 20, 2018
.gitignore Initial commit Dec 20, 2018 Update README Dec 20, 2018
app.js Initial commit Dec 20, 2018
package.json Initial commit Dec 20, 2018
yarn.lock Initial commit Dec 20, 2018

Vulnerable XSS Web Application

This is a small Node.js powered web application which is intentionally vulnerable to cross-site scripting.

It was created to demonstrate:

  • How custom filtering and cleansing may be bypassed
  • Alternative attack vectors to those typically documented

To read more about this, see our blog post at:



git clone
cd vulnerable-xss-app
yarn install


Each of the vulnerable endpoints accepts a query string parameter named xss which is processed and output in the response.

Vulnerable Endpoints

Endpoints Description
/ Reflects the xss parameter without modification
/replace Replaces any script tags in the xss parameter with NAUGHTY_HACKER
/remove Removes any script tags or onerror attributes in the xss parameter

Utility Endpoints

Endpoints Description
/keylogger Logs the data form field from the request in the server console
/screenshot Decodes the base64 encoded image from the data field into screenshot.png

Static Resources

Endpoints Description
/media/* Various multimedia files to test vectors using the img, audio and video tags
/scripts/* Scripts used to initialise attacks with larger payloads (e.g. keylogging)


http://localhost:3000/?xss=<audio oncanplay=alert(1) src="/media/hack-the-planet.mp3" />
http://localhost:3000/?xss=<video autoplay=true onended=alert(1) src="/media/hack-the-planet.mp4" />
http://localhost:3000/remove?xss=<img src=x ononerrorerror=alert(1) />
http://localhost:3000/replace?xss=<script <script>>alert(1)</script <script>>