XSSMaze is a web service configured to be vulnerable to XSS and is intended to measure and enhance the performance of security testing tools. You can find several vulnerable cases in the list below.

Installation

From Source

# Install dependencies
shards install

# Build
shards build # Dev build
shards build --release --no-debug --production

# Run XSSMaze
# Defatul: http://0.0.0.0:3000
./bin/xssmaze

From Docker

docker pull ghcr.io/hahwul/xssmaze:main

Usage

./xssmaze

# -b HOST, --bind HOST             Host to bind (defaults to 0.0.0.0)
# -p PORT, --port PORT             Port to listen for connections (defaults to 3000)
# -s, --ssl                        Enables SSL
# --ssl-key-file FILE              SSL key file
# --ssl-cert-file FILE             SSL certificate file
# -h, --help                       Shows this help

Map API

curl http://localhost:3000/map/txt
curl http://localhost:3000/map/json

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 611
Content-Type: application/json
X-Powered-By: Kemal

{
    "endpoints": [
        "/basic/level1/?query=a",
        "/basic/level2/?query=a",
        "/basic/level3/?query=a",
        "/basic/level4/?query=a",
        "/basic/level5/?query=a",
        "/basic/level6/?query=a",
        "/basic/level7/?query=a",
        "/dom/level1/",
        "/dom/level2/",
        "/dom/level3/",
        "/dom/level4/"
        ...
    ]
}