I Completed All XSS Labs on PortSwigger – Here's What I Learned
naseef kIntroduction
As part of my journey into web application penetration testing, I completed all the Cross-Site Scripting (XSS) labs from PortSwigger’s Web Security Academy. These labs covered basic to advanced XSS vulnerabilities, and I learned how attackers can exploit websites using script injections.
In this blog, I’ll share:
What each type of XSS means
Tools I used
Challenges I faced
What I learned
Tools I Used
Burp Suite Community Edition
Web browser (Firefox or Chrome Dev Tools)
Custom XSS payloads
Notepad for writing and testing scripts
Lab Types Covered
| XSS Type | Description | Example Payload |
| Reflected XSS | Script in URL or input echoed back | <script>alert(1)</script> |
| Stored XSS | Script saved in the database | Same payload, but triggered later |
| DOM-Based XSS | Vulnerability in client-side JavaScript | #<script>alert(1)</script> |
| Event Handler XSS | Triggered via onmouseover, onclick | <img src=x onerror=alert(1)> |
| Attribute Injection | Injecting into HTML attributes | "><script>alert(1)</script> |
What I Learned
How XSS can bypass filters using encoding (e.g.,
<script>)Importance of output encoding, CSP, and input validation
How attackers steal cookies, deface pages, or inject malicious JavaScript
How different contexts (HTML, JS, URL, Attribute) affect XSS payloads
Challenges I Faced
Finding the correct input point
Payloads not triggering due to context
Dealing with WAF or JavaScript sanitizers
DOM-based XSS was confusing at first
Useful Payloads I Practiced With
htmlCopyEdit<script>alert('XSS')</script> <img src=x onerror=alert('XSS')> <svg onload=alert('XSS')> "><script>alert(1)</script>
Subscribe to my newsletter
Read articles from naseef k directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by