Welcome, recruit!

What's this all about? This security game consists of several levels resembling real-world applications which are vulnerable to XSS - your task will be to find the problem and attack the apps, similar to what an evil hacker might do.



XSS bugs are common because they have a nasty habit of popping up wherever a webapp deals with untrusted input. Our motivation is to highlight common coding patterns which lead to XSS to help you spot them in your code. Who can play? The game is designed primarily for developers working on Web applications who do not specialize in security. If you're a connoisseur of online hacking challenges you'll find the first few levels quite easy, but you just might learn something useful along the way.



You'll need a modern browser which supports Javascript and cookies. Is it possible to cheat at this game? Yes, since this is a browser-based game, you will be able to cheat by messing with the page internals in developer tools or editing HTTP traffic.



However, we're sure that you won't have to resort to that -- there are hints and source to guide you. And as your teacher once told you: you would only be cheating yourself ;-) How will I know when I'm done? There will be cake at the end of the test.



