The latest articles on DEV Community by GUERFI AHMED YACINE (@guerfi_ahmedyacine_c09bc). https://dev.to/guerfi_ahmedyacine_c09bc https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3920889%2Fd9c015ca-cc3e-4692-9ac1-40e667840c42.png https://dev.to/guerfi_ahmedyacine_c09bc en GUERFI AHMED YACINE Sat, 09 May 2026 00:09:28 +0000 https://dev.to/guerfi_ahmedyacine_c09bc/-title-i-built-a-static-xss-playground-that-runs-payloads-safely-in-the-browser--18an https://dev.to/guerfi_ahmedyacine_c09bc/-title-i-built-a-static-xss-playground-that-runs-payloads-safely-in-the-browser--18an <p>Most XSS learning resources have a tradeoff. They either explain payloads theoretically without letting you see execution, or they require a deliberately vulnerable backend. I wanted a safer middle ground: a fully static frontend app where payloads can run, but only inside an isolated preview.</p> <p>The core of the project is a sandboxed iframe:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">iframe</span> <span class="na">title</span><span class="p">=</span><span class="s">"Sandboxed XSS payload preview"</span> <span class="na">sandbox</span><span class="p">=</span><span class="s">"allow-scripts"</span> <span class="na">srcDoc</span><span class="p">=</span><span class="si">{</span><span class="nx">generatedHtml</span><span class="si">}</span> <span class="p">/&gt;</span> </code></pre> </div> <p>The important detail is what is <strong>not</strong> allowed. The iframe has <code>allow-scripts</code>, so payloads can execute inside the preview, but it does not have <code>allow-same-origin</code>. That means the iframe gets a unique opaque origin. The payload can demonstrate behavior, but it cannot access the parent page's origin, storage, or DOM.</p> <p>I also override risky browser APIs inside the frame:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">window</span><span class="p">.</span><span class="nx">alert</span> <span class="o">=</span> <span class="p">(</span><span class="nx">message</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">parent</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">xss-alert</span><span class="dl">'</span><span class="p">,</span> <span class="nx">message</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="nb">window</span><span class="p">.</span><span class="nx">open</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="kc">null</span> <span class="nb">window</span><span class="p">.</span><span class="nx">fetch</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">reject</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Network disabled</span><span class="dl">'</span><span class="p">))</span> </code></pre> </div> <p>That lets the app show when a payload fires without letting the preview become a real attack surface.</p> <p>The lab focuses on four common output contexts.</p> <p>The biggest CSP reminder while building this was simple: allowing inline scripts often defeats the point of the policy. A strong CSP can reduce XSS impact, but it is not a replacement for correct output encoding and safe DOM APIs.</p> <p>The result is XSS Payload Lab: a static React app with a payload library, context explorer, sandbox preview, fix-the-sink challenges, and a CSP playground.</p> <p>Live tool: <a href="https://xss-payload-lab.vercel.app" rel="noopener noreferrer">https://xss-payload-lab.vercel.app</a><br><br> GitHub: <a href="https://github.com/ahmedremi/xss-payload-lab" rel="noopener noreferrer">https://github.com/ahmedremi/xss-payload-lab</a></p> security xss javascript webdev