diff --git a/README.md b/README.md
index 065ac71..7c29406 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ cd vulstudy
 docker-compose up -d #启动容器
 docker-compose stop #停止容器
 ```
-![主界面](doc/vulstudy.jpg)
+![主界面](doc/vulstudy.png)
 
 ## 0x3 FAQ
 **1.第一次启动bWAPP容器访问其主页会报错如下：**
diff --git a/XSS-challenge-tour/Dockerfile b/XSS-challenge-tour/Dockerfile
new file mode 100644
index 0000000..0c3e8d5
--- /dev/null
+++ b/XSS-challenge-tour/Dockerfile
@@ -0,0 +1,9 @@
+FROM php:5.5-apache
+
+MAINTAINER c0ny1 <root@gv7.me>
+
+# set DirectoryIndex:index.htm
+COPY docker-php.conf /etc/apache2/conf-enabled/
+
+RUN rm -rf /var/www/html/*
+ADD ./src/ /var/www/html/
diff --git a/XSS-challenge-tour/docker-compose.yml b/XSS-challenge-tour/docker-compose.yml
new file mode 100644
index 0000000..faa4f3c
--- /dev/null
+++ b/XSS-challenge-tour/docker-compose.yml
@@ -0,0 +1,7 @@
+version: '2'
+services:
+ web:
+   #build: .
+   image: c0ny1/xssed:latest
+   ports:
+     - "80:80"
diff --git a/XSS-challenge-tour/docker-php.conf b/XSS-challenge-tour/docker-php.conf
new file mode 100644
index 0000000..683d4ab
--- /dev/null
+++ b/XSS-challenge-tour/docker-php.conf
@@ -0,0 +1,12 @@
+<FilesMatch \.php$>
+        SetHandler application/x-httpd-php
+</FilesMatch>
+
+DirectoryIndex disabled
+DirectoryIndex index.php index.html index.htm
+
+<Directory /var/www/>
+        Options -Indexes
+        AllowOverride All
+</Directory>
+
diff --git a/XSS-challenge-tour/src/chk.js b/XSS-challenge-tour/src/chk.js
new file mode 100644
index 0000000..734ad91
--- /dev/null
+++ b/XSS-challenge-tour/src/chk.js
@@ -0,0 +1,4 @@
+window.alert = function()
+ {
+    confirm("完成的不错！");
+}
diff --git a/XSS-challenge-tour/src/index.php b/XSS-challenge-tour/src/index.php
new file mode 100644
index 0000000..d9a530e
--- /dev/null
+++ b/XSS-challenge-tour/src/index.php
@@ -0,0 +1,13 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<title>欢迎来到XSS挑战</title>
+</head>
+<body>
+<h1 align=center>欢迎来到XSS挑战</h1>
+<a href=level1.php?name=test><center><img src=index.png></center></a>
+<h2 align=center>点击图片开始你的XSS之旅吧！</h2>
+</body>
+</html>
+
+
diff --git a/XSS-challenge-tour/src/index.png b/XSS-challenge-tour/src/index.png
new file mode 100644
index 0000000..185ccec
Binary files /dev/null and b/XSS-challenge-tour/src/index.png differ
diff --git a/XSS-challenge-tour/src/level1.php b/XSS-challenge-tour/src/level1.php
new file mode 100644
index 0000000..68a8e78
--- /dev/null
+++ b/XSS-challenge-tour/src/level1.php
@@ -0,0 +1,29 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level2.php?keyword=test"; 
+}
+</script>
+<title>欢迎来到level1</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level1</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = $_GET["name"];
+echo "<h2 align=center>欢迎用户".$str."</h2>";
+?>
+<center><img src=level1.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";
+?>
+</body>
+</html>
+
+
+
+
diff --git a/XSS-challenge-tour/src/level1.png b/XSS-challenge-tour/src/level1.png
new file mode 100644
index 0000000..99664cd
Binary files /dev/null and b/XSS-challenge-tour/src/level1.png differ
diff --git a/XSS-challenge-tour/src/level10.php b/XSS-challenge-tour/src/level10.php
new file mode 100644
index 0000000..54dcf97
--- /dev/null
+++ b/XSS-challenge-tour/src/level10.php
@@ -0,0 +1,36 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level11.php?keyword=good job!"; 
+}
+</script>
+<title>欢迎来到level10</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level10</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = $_GET["keyword"];
+$str11 = $_GET["t_sort"];
+$str22=str_replace(">","",$str11);
+$str33=str_replace("<","",$str22);
+echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
+<form id=search>
+<input name="t_link"  value="'.'" type="hidden">
+<input name="t_history"  value="'.'" type="hidden">
+<input name="t_sort"  value="'.$str33.'" type="hidden">
+</form>
+</center>';
+?>
+<center><img src=level10.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";
+?>
+</body>
+</html>
+
+
diff --git a/XSS-challenge-tour/src/level10.png b/XSS-challenge-tour/src/level10.png
new file mode 100644
index 0000000..3901a91
Binary files /dev/null and b/XSS-challenge-tour/src/level10.png differ
diff --git a/XSS-challenge-tour/src/level11.php b/XSS-challenge-tour/src/level11.php
new file mode 100644
index 0000000..b2ddb0c
--- /dev/null
+++ b/XSS-challenge-tour/src/level11.php
@@ -0,0 +1,36 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level12.php?keyword=good job!"; 
+}
+</script>
+<title>欢迎来到level11</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level11</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = $_GET["keyword"];
+$str00 = $_GET["t_sort"];
+$str11=$_SERVER['HTTP_REFERER'];
+$str22=str_replace(">","",$str11);
+$str33=str_replace("<","",$str22);
+echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
+<form id=search>
+<input name="t_link"  value="'.'" type="hidden">
+<input name="t_history"  value="'.'" type="hidden">
+<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
+<input name="t_ref"  value="'.$str33.'" type="hidden">
+</form>
+</center>';
+?>
+<center><img src=level11.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";
+?>
+</body>
+</html>
diff --git a/XSS-challenge-tour/src/level11.png b/XSS-challenge-tour/src/level11.png
new file mode 100644
index 0000000..10bf45b
Binary files /dev/null and b/XSS-challenge-tour/src/level11.png differ
diff --git a/XSS-challenge-tour/src/level12.php b/XSS-challenge-tour/src/level12.php
new file mode 100644
index 0000000..b262893
--- /dev/null
+++ b/XSS-challenge-tour/src/level12.php
@@ -0,0 +1,37 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level13.php?keyword=good job!"; 
+}
+</script>
+<title>欢迎来到level12</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level12</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = $_GET["keyword"];
+$str00 = $_GET["t_sort"];
+$str11=$_SERVER['HTTP_USER_AGENT'];
+$str22=str_replace(">","",$str11);
+$str33=str_replace("<","",$str22);
+echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
+<form id=search>
+<input name="t_link"  value="'.'" type="hidden">
+<input name="t_history"  value="'.'" type="hidden">
+<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
+<input name="t_ua"  value="'.$str33.'" type="hidden">
+</form>
+</center>';
+?>
+<center><img src=level12.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";
+?>
+</body>
+</html>
+
diff --git a/XSS-challenge-tour/src/level12.png b/XSS-challenge-tour/src/level12.png
new file mode 100644
index 0000000..8d9dfbe
Binary files /dev/null and b/XSS-challenge-tour/src/level12.png differ
diff --git a/XSS-challenge-tour/src/level13.php b/XSS-challenge-tour/src/level13.php
new file mode 100644
index 0000000..da657c0
--- /dev/null
+++ b/XSS-challenge-tour/src/level13.php
@@ -0,0 +1,38 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level14.php"; 
+}
+</script>
+<title>欢迎来到level13</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level13</h1>
+<?php 
+setcookie("user", "call me maybe?", time()+3600);
+ini_set("display_errors", 0);
+$str = $_GET["keyword"];
+$str00 = $_GET["t_sort"];
+$str11=$_COOKIE["user"];
+$str22=str_replace(">","",$str11);
+$str33=str_replace("<","",$str22);
+echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
+<form id=search>
+<input name="t_link"  value="'.'" type="hidden">
+<input name="t_history"  value="'.'" type="hidden">
+<input name="t_sort"  value="'.htmlspecialchars($str00).'" type="hidden">
+<input name="t_cook"  value="'.$str33.'" type="hidden">
+</form>
+</center>';
+?>
+<center><img src=level13.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";
+?>
+</body>
+</html>
+
diff --git a/XSS-challenge-tour/src/level13.png b/XSS-challenge-tour/src/level13.png
new file mode 100644
index 0000000..01c4d6c
Binary files /dev/null and b/XSS-challenge-tour/src/level13.png differ
diff --git a/XSS-challenge-tour/src/level14.php b/XSS-challenge-tour/src/level14.php
new file mode 100644
index 0000000..5f3253f
--- /dev/null
+++ b/XSS-challenge-tour/src/level14.php
@@ -0,0 +1,10 @@
+<html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<title>欢迎来到level14</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level14</h1>
+<center><iframe name="leftframe" marginwidth=10 marginheight=10 src="http://www.exifviewer.org/" frameborder=no width="80%" scrolling="no" height=80%></iframe></center><center>这关成功后不会自动跳转。成功者<a href=/xsschallenge/level15.php?src=1.gif>点我进level15</a></center>
+</body>
+</html>
diff --git a/XSS-challenge-tour/src/level15.php b/XSS-challenge-tour/src/level15.php
new file mode 100644
index 0000000..4dbc97c
--- /dev/null
+++ b/XSS-challenge-tour/src/level15.php
@@ -0,0 +1,22 @@
+<html ng-app>
+<head>
+        <meta charset="utf-8">
+        <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.2.0/angular.min.js"></script>
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level16.php?keyword=test"; 
+}
+</script>
+<title>欢迎来到level15</title>
+</head>
+<h1 align=center>欢迎来到第15关，自己想个办法走出去吧！</h1>
+<p align=center><img src=level15.png></p>
+<?php 
+ini_set("display_errors", 0);
+$str = $_GET["src"];
+echo '<body><span class="ng-include:'.htmlspecialchars($str).'"></span></body>';
+?>
+
+
diff --git a/XSS-challenge-tour/src/level15.png b/XSS-challenge-tour/src/level15.png
new file mode 100644
index 0000000..00516b4
Binary files /dev/null and b/XSS-challenge-tour/src/level15.png differ
diff --git a/XSS-challenge-tour/src/level16.php b/XSS-challenge-tour/src/level16.php
new file mode 100644
index 0000000..0687b73
--- /dev/null
+++ b/XSS-challenge-tour/src/level16.php
@@ -0,0 +1,30 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level17.php?arg01=a&arg02=b"; 
+}
+</script>
+<title>欢迎来到level16</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level16</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = strtolower($_GET["keyword"]);
+$str2=str_replace("script","&nbsp;",$str);
+$str3=str_replace(" ","&nbsp;",$str2);
+$str4=str_replace("/","&nbsp;",$str3);
+$str5=str_replace("	","&nbsp;",$str4);
+echo "<center>".$str5."</center>";
+?>
+<center><img src=level16.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str5)."</h3>";
+?>
+</body>
+</html>
+
diff --git a/XSS-challenge-tour/src/level16.png b/XSS-challenge-tour/src/level16.png
new file mode 100644
index 0000000..d0e1945
Binary files /dev/null and b/XSS-challenge-tour/src/level16.png differ
diff --git a/XSS-challenge-tour/src/level17.php b/XSS-challenge-tour/src/level17.php
new file mode 100644
index 0000000..19086af
--- /dev/null
+++ b/XSS-challenge-tour/src/level17.php
@@ -0,0 +1,26 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！"); 
+}
+</script>
+<title>欢迎来到level17</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level17</h1>
+<?php
+ini_set("display_errors", 0);
+echo "<embed src=xsf01.swf?".htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"])." width=100% heigth=100%>";
+?>
+<h2 align=center>成功后，<a href=level18.php?arg01=a&arg02=b>点我进入下一关</a></h2>
+</body>
+</html>
+
+
+
+
+
+
diff --git a/XSS-challenge-tour/src/level18.php b/XSS-challenge-tour/src/level18.php
new file mode 100644
index 0000000..097b6e7
--- /dev/null
+++ b/XSS-challenge-tour/src/level18.php
@@ -0,0 +1,23 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level19.php?arg01=a&arg02=b"; 
+}
+</script>
+<title>欢迎来到level18</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level18</h1>
+<?php
+ini_set("display_errors", 0);
+echo "<embed src=xsf02.swf?".htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"])." width=100% heigth=100%>";
+?>
+</body>
+</html>
+
+
+
diff --git a/XSS-challenge-tour/src/level19.php b/XSS-challenge-tour/src/level19.php
new file mode 100644
index 0000000..24fd110
--- /dev/null
+++ b/XSS-challenge-tour/src/level19.php
@@ -0,0 +1,22 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level20.php?arg01=a&arg02=b"; 
+}
+</script>
+<title>欢迎来到level19</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level19</h1>
+<?php
+ini_set("display_errors", 0);
+echo '<embed src="xsf03.swf?'.htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"]).'" width=100% heigth=100%>';
+?>
+</body>
+</html>
+
+
diff --git a/XSS-challenge-tour/src/level2.php b/XSS-challenge-tour/src/level2.php
new file mode 100644
index 0000000..5a58ca2
--- /dev/null
+++ b/XSS-challenge-tour/src/level2.php
@@ -0,0 +1,34 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level3.php?writing=wait"; 
+}
+</script>
+<title>欢迎来到level2</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level2</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = $_GET["keyword"];
+echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
+<form action=level2.php method=GET>
+<input name=keyword  value="'.$str.'">
+<input type=submit name=submit value="搜索"/>
+</form>
+</center>';
+?>
+<center><img src=level2.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";
+?>
+</body>
+</html>
+
+
+
+
diff --git a/XSS-challenge-tour/src/level2.png b/XSS-challenge-tour/src/level2.png
new file mode 100644
index 0000000..501f92b
Binary files /dev/null and b/XSS-challenge-tour/src/level2.png differ
diff --git a/XSS-challenge-tour/src/level20.php b/XSS-challenge-tour/src/level20.php
new file mode 100644
index 0000000..aa1aa0f
--- /dev/null
+++ b/XSS-challenge-tour/src/level20.php
@@ -0,0 +1,21 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level21.php?arg01=a&arg02=b"; 
+}
+</script>
+<title>欢迎来到level20</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level20</h1>
+<?php
+ini_set("display_errors", 0);
+echo '<embed src="xsf04.swf?'.htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"]).'" width=100% heigth=100%>';
+?>
+</body>
+</html>
+
diff --git a/XSS-challenge-tour/src/level3.php b/XSS-challenge-tour/src/level3.php
new file mode 100644
index 0000000..1417bda
--- /dev/null
+++ b/XSS-challenge-tour/src/level3.php
@@ -0,0 +1,30 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level4.php?keyword=try harder!"; 
+}
+</script>
+<title>欢迎来到level3</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level3</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = $_GET["keyword"];
+echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>"."<center>
+<form action=level3.php method=GET>
+<input name=keyword  value='".htmlspecialchars($str)."'>
+<input type=submit name=submit value=搜索 />
+</form>
+</center>";
+?>
+<center><img src=level3.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str)."</h3>";
+?>
+</body>
+</html>
diff --git a/XSS-challenge-tour/src/level3.png b/XSS-challenge-tour/src/level3.png
new file mode 100644
index 0000000..6f4365d
Binary files /dev/null and b/XSS-challenge-tour/src/level3.png differ
diff --git a/XSS-challenge-tour/src/level4.php b/XSS-challenge-tour/src/level4.php
new file mode 100644
index 0000000..de6e56d
--- /dev/null
+++ b/XSS-challenge-tour/src/level4.php
@@ -0,0 +1,34 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level5.php?keyword=find a way out!"; 
+}
+</script>
+<title>欢迎来到level4</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level4</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = $_GET["keyword"];
+$str2=str_replace(">","",$str);
+$str3=str_replace("<","",$str2);
+echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
+<form action=level4.php method=GET>
+<input name=keyword  value="'.$str3.'">
+<input type=submit name=submit value=搜索 />
+</form>
+</center>';
+?>
+<center><img src=level4.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str3)."</h3>";
+?>
+</body>
+</html>
+
+
diff --git a/XSS-challenge-tour/src/level4.png b/XSS-challenge-tour/src/level4.png
new file mode 100644
index 0000000..0f7ca9d
Binary files /dev/null and b/XSS-challenge-tour/src/level4.png differ
diff --git a/XSS-challenge-tour/src/level5.php b/XSS-challenge-tour/src/level5.php
new file mode 100644
index 0000000..a968589
--- /dev/null
+++ b/XSS-challenge-tour/src/level5.php
@@ -0,0 +1,33 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level6.php?keyword=break it out!"; 
+}
+</script>
+<title>欢迎来到level5</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level5</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = strtolower($_GET["keyword"]);
+$str2=str_replace("<script","<scr_ipt",$str);
+$str3=str_replace("on","o_n",$str2);
+echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
+<form action=level5.php method=GET>
+<input name=keyword  value="'.$str3.'">
+<input type=submit name=submit value=搜索 />
+</form>
+</center>';
+?>
+<center><img src=level5.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str3)."</h3>";
+?>
+</body>
+</html>
+
diff --git a/XSS-challenge-tour/src/level5.png b/XSS-challenge-tour/src/level5.png
new file mode 100644
index 0000000..e9666e2
Binary files /dev/null and b/XSS-challenge-tour/src/level5.png differ
diff --git a/XSS-challenge-tour/src/level6.php b/XSS-challenge-tour/src/level6.php
new file mode 100644
index 0000000..711d6fa
--- /dev/null
+++ b/XSS-challenge-tour/src/level6.php
@@ -0,0 +1,37 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level7.php?keyword=move up!"; 
+}
+</script>
+<title>欢迎来到level6</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level6</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = $_GET["keyword"];
+$str2=str_replace("<script","<scr_ipt",$str);
+$str3=str_replace("on","o_n",$str2);
+$str4=str_replace("src","sr_c",$str3);
+$str5=str_replace("data","da_ta",$str4);
+$str6=str_replace("href","hr_ef",$str5);
+echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
+<form action=level6.php method=GET>
+<input name=keyword  value="'.$str6.'">
+<input type=submit name=submit value=搜索 />
+</form>
+</center>';
+?>
+<center><img src=level6.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str6)."</h3>";
+?>
+</body>
+</html>
+
+
diff --git a/XSS-challenge-tour/src/level6.png b/XSS-challenge-tour/src/level6.png
new file mode 100644
index 0000000..0f0ff0c
Binary files /dev/null and b/XSS-challenge-tour/src/level6.png differ
diff --git a/XSS-challenge-tour/src/level7.php b/XSS-challenge-tour/src/level7.php
new file mode 100644
index 0000000..13e080c
--- /dev/null
+++ b/XSS-challenge-tour/src/level7.php
@@ -0,0 +1,35 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level8.php?keyword=nice try!"; 
+}
+</script>
+<title>欢迎来到level7</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level7</h1>
+<?php 
+ini_set("display_errors", 0);
+$str =strtolower( $_GET["keyword"]);
+$str2=str_replace("script","",$str);
+$str3=str_replace("on","",$str2);
+$str4=str_replace("src","",$str3);
+$str5=str_replace("data","",$str4);
+$str6=str_replace("href","",$str5);
+echo "<h2 align=center>没有找到和".htmlspecialchars($str)."相关的结果.</h2>".'<center>
+<form action=level7.php method=GET>
+<input name=keyword  value="'.$str6.'">
+<input type=submit name=submit value=搜索 />
+</form>
+</center>';
+?>
+<center><img src=level7.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str6)."</h3>";
+?>
+</body>
+</html>
diff --git a/XSS-challenge-tour/src/level7.png b/XSS-challenge-tour/src/level7.png
new file mode 100644
index 0000000..68403f2
Binary files /dev/null and b/XSS-challenge-tour/src/level7.png differ
diff --git a/XSS-challenge-tour/src/level8.jpg b/XSS-challenge-tour/src/level8.jpg
new file mode 100644
index 0000000..5a2fbba
Binary files /dev/null and b/XSS-challenge-tour/src/level8.jpg differ
diff --git a/XSS-challenge-tour/src/level8.php b/XSS-challenge-tour/src/level8.php
new file mode 100644
index 0000000..6d3f5a0
--- /dev/null
+++ b/XSS-challenge-tour/src/level8.php
@@ -0,0 +1,39 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level9.php?keyword=not bad!"; 
+}
+</script>
+<title>欢迎来到level8</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level8</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = strtolower($_GET["keyword"]);
+$str2=str_replace("script","scr_ipt",$str);
+$str3=str_replace("on","o_n",$str2);
+$str4=str_replace("src","sr_c",$str3);
+$str5=str_replace("data","da_ta",$str4);
+$str6=str_replace("href","hr_ef",$str5);
+$str7=str_replace('"','&quot',$str6);
+echo '<center>
+<form action=level8.php method=GET>
+<input name=keyword  value="'.htmlspecialchars($str).'">
+<input type=submit name=submit value=添加友情链接 />
+</form>
+</center>';
+?>
+<?php
+ echo '<center><BR><a href="'.$str7.'">友情链接</a></center>';
+?>
+<center><img src=level8.jpg></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str7)."</h3>";
+?>
+</body>
+</html>
diff --git a/XSS-challenge-tour/src/level9.php b/XSS-challenge-tour/src/level9.php
new file mode 100644
index 0000000..ecf7e20
--- /dev/null
+++ b/XSS-challenge-tour/src/level9.php
@@ -0,0 +1,46 @@
+<!DOCTYPE html><!--STATUS OK--><html>
+<head>
+<meta http-equiv="content-type" content="text/html;charset=utf-8">
+<script>
+window.alert = function()  
+{     
+confirm("完成的不错！");
+ window.location.href="level10.php?keyword=well done!"; 
+}
+</script>
+<title>欢迎来到level9</title>
+</head>
+<body>
+<h1 align=center>欢迎来到level9</h1>
+<?php 
+ini_set("display_errors", 0);
+$str = strtolower($_GET["keyword"]);
+$str2=str_replace("script","scr_ipt",$str);
+$str3=str_replace("on","o_n",$str2);
+$str4=str_replace("src","sr_c",$str3);
+$str5=str_replace("data","da_ta",$str4);
+$str6=str_replace("href","hr_ef",$str5);
+$str7=str_replace('"','&quot',$str6);
+echo '<center>
+<form action=level9.php method=GET>
+<input name=keyword  value="'.htmlspecialchars($str).'">
+<input type=submit name=submit value=添加友情链接 />
+</form>
+</center>';
+?>
+<?php
+if(false===strpos($str7,'http://'))
+{
+  echo '<center><BR><a href="您的链接不合法？有没有！">友情链接</a></center>';
+        }
+else
+{
+  echo '<center><BR><a href="'.$str7.'">友情链接</a></center>';
+}
+?>
+<center><img src=level9.png></center>
+<?php 
+echo "<h3 align=center>payload的长度:".strlen($str7)."</h3>";
+?>
+</body>
+</html>
diff --git a/XSS-challenge-tour/src/level9.png b/XSS-challenge-tour/src/level9.png
new file mode 100644
index 0000000..e169825
Binary files /dev/null and b/XSS-challenge-tour/src/level9.png differ
diff --git a/XSS-challenge-tour/src/xsf01.swf b/XSS-challenge-tour/src/xsf01.swf
new file mode 100644
index 0000000..91b426b
Binary files /dev/null and b/XSS-challenge-tour/src/xsf01.swf differ
diff --git a/XSS-challenge-tour/src/xsf02.swf b/XSS-challenge-tour/src/xsf02.swf
new file mode 100644
index 0000000..3273af5
Binary files /dev/null and b/XSS-challenge-tour/src/xsf02.swf differ
diff --git a/XSS-challenge-tour/src/xsf03.swf b/XSS-challenge-tour/src/xsf03.swf
new file mode 100644
index 0000000..dfb1a60
Binary files /dev/null and b/XSS-challenge-tour/src/xsf03.swf differ
diff --git a/XSS-challenge-tour/src/xsf04.swf b/XSS-challenge-tour/src/xsf04.swf
new file mode 100644
index 0000000..13bf8e3
Binary files /dev/null and b/XSS-challenge-tour/src/xsf04.swf differ
diff --git a/doc/vulstudy.jpg b/doc/vulstudy.jpg
deleted file mode 100644
index 232ef52..0000000
Binary files a/doc/vulstudy.jpg and /dev/null differ
diff --git a/doc/vulstudy.png b/doc/vulstudy.png
new file mode 100644
index 0000000..be3546c
Binary files /dev/null and b/doc/vulstudy.png differ
diff --git a/docker-compose.yml b/docker-compose.yml
index a7b92a1..8da3f94 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -59,6 +59,11 @@ services:
   ports:
    - "88:80"
 
+ Xss_challenge_tour:
+  image: c0ny1/xss-challenge-tour:latest
+  ports:
+   - "8091:80"
+
  dsvw:
   image: c0ny1/dsvw:v0.1m
   ports:
diff --git a/www/index.css b/www/index.css
index cad18cb..f53a7f0 100644
--- a/www/index.css
+++ b/www/index.css
@@ -29,7 +29,7 @@ td{
 
 #Box {
   max-width          : 800px;
-  max-height         : 600px;
+  /*max-height         : 600px;*/
   background-color   : rgba(255, 255, 255, .7);
   margin-left        : auto;
   margin-right       : auto;
diff --git a/www/index.html b/www/index.html
index b507ca3..f628bc1 100644
--- a/www/index.html
+++ b/www/index.html
@@ -17,7 +17,7 @@
 
 <body style="background-color: #2e3030;"> 
 
-<div style="width:240px;height:50px;margin: 0 auto;border: 0px solid #000000;">
+<div style="width:240px;height:100px;margin: 0 auto;border: 0px solid #000000;">
 <a href="http://github.com/c0ny1/vulstudy" style="text-decoration:none;" target="view_window"><h1 style="color: #fbcc04;font-size: 60px;">vulstudy</h1></a>
 </div>
 
@@ -121,6 +121,13 @@
           <td>综合</td>
           <td>Spider Labs</td>
           <td>php</td>
+        </tr>
+		<tr onClick="openURL(':8091/')">
+          <th scope="row" style="text-align: center;">13</th>
+          <td>XSS挑战之旅</td>
+          <td>XSS</td>
+          <td>未知</td>
+          <td>php</td>
         </tr>
       </tbody>
     </table>