How to build a hacking challenge that uses XSS?
The most common approach I've seen is to run a headless browser bot that gets vulnerable links through a submission system. It then visits each of these links for a few seconds with a magic cookie set.
An example can be found in the article "How to add an XSS-able bot to your CTF" where the bot is implemented as a headless PhantomJS instance. Similarly, the hackxor game uses HtmlUnit to simulate a browsing victim and this XSS challenge uses an instance of Zombie.js.
There are indeed several reasons to avoid stored XSS: Not only would players learn about the others' methods and eventually interfere with their payloads but people might start annoying others with redirects or infinite loops which will keep you busy with cleaning everything up.
Instead I'd suggest a reflected XSS vulnerability with a simple submission system where players can provide links that are then visited by the bot. Depending on the scenario, the submission could be put in the context of a contact form, a simple socket listener, a private IRC message, or, if you feel fancy, an email account where the links from incoming emails are extracted and visited.
I'd definitely avoid a system that requires manual interaction. Otherwise people will constantly inquire if their payloads have already run, if it can be visited again, etc. Depending on how aggressive the players are you should also think of a way to rate-limit submissions. (A CAPTCHA for the contact form would fit the scenario well.)
I would recommend individual container environments to separate conflicts between contestants.
For an example: Check out SANS’s one hour CTF at https://www.onehourctf.com – The One-Hour CtF uses Docker and Guacamole to provide a snappy shared learning environment. Guacamole provides the visual (VNC/RDP/SSH) interface to the Docker containers.
For an easy method for teaching cross-site scripting vulnerabilities, you may want to consider an educated simulation of the attack with custom code. From the attackers perceptive it's legit, but the back-end simulates the visual results.