This is a collection of some client-side web security challenges I've created. No server source is needed since all challenges work entirely in the browser. Each challenge comes with a solution page which runs a PoC exploit.


Over the years, I've created a lot of web challenges for various CTFs. CTFs are a great way to learn security, and many of these challenges aim to encourage players to find creative ways to attack a web application. However, CTFs are time-limited, and challenges go offline after the CTF ends.

While server-side challenges are costly for me to host, (some) client-side challenges are free to host. So I've decided to compile some of my client-side challenges here, so that they can be attempted at any time.


Gain XSS and pop an alert!


Gain XSS and pop an alert!


From a cross-origin site, can you leak the user's secrets?

Chrome Extensions

Exploit vulnerable Chrome extensions to steal secrets.