Security conferences often have hacking challenges. My colleagues and I have built a number of these. We've not yet done one that includes a cross-site scripting vulnerability.
I have seen challenges that do this. One approach was that a certain page (vulnerable to stored XSS) was requested by a browser on a periodic basis (every 10s I think). After successful attack, your payload ran in that browser and the challenge was to extract the cookie.
One issue with this approach is that when multiple people are working on the challenge simultaneously, they interfere with each other - and you can steal other people's ideas. An alternative idea was to have reflective XSS only, and a page where you can submit a link to the site, which admin will review before it goes live.
How long to have the browser stay open is an interesting choice. If it stays open a while (60s or so) then people can use tools like BeEF, which makes it a bit easier. If it's only open for 2s you have to script the attack.
There's a number of details that affect how well the challenge will work in practice. I'd prefer answers from people with experience running XSS hacking challenges that worked well. But failing that, I'll settle for informed speculation.
If it helps, we tend to attend technical conferences in the UK, e.g. B-Sides Manchester, SteelCon, SecuriTay.
Also, any hints about defending the browser from JavaScript exploits would be welcome!