Google XSS Game
In this post I solve the Goolge beginners XSS challanges. These are easier and especially recommended for beginners.
Level 1: Hello, world of XSS
This entry-level task is a simple example of XSS. Regardless of whether the payload is passed within the url or directly in the application it will pop.
// In the input field <script>alert(0)</script> //In the url frame?query=<script>alert(0)</script>
The code is integrated into the application without further verification, so that the browser understands and executes it as part of the page code.
Level 2: Persistence is key
<img src='x' onerror='alert(0)'>
Level 3: That sinking Feeling…
This application gives the user 3 images to choose from. Depending on which image the user selects, the number of images in the URL changes.
My first step was to check what happens if i enter a number in the URL that does not exist on the application for example #6.
My request is processed normally but no picture is displayed - NICE! because the image is obviously not existent but the application stil delivers a valid response.
As it turned out it is possible to add additional commands by inserting single quotes.
Now only a suitable payload must be added.
Level 4: Context matters
In this task we can pass a number to the page input which is passed to a timer function. The input is not checked, so special characters and letters can also be entered.
Adding a single qoutes leads to an error in the startTimer function.
If we now add a ")" the function call looks like this:
to create a valid statement and trigger an alert the following part must be added:
//Added part ');alert('0 //Valid Statement onload="startTimer('3');alert('0');"
Our payload is now valid and is processed correctly.
Level 5: Breaking protocol
The welcome page does nothing special, it only leads us to the login page. On the login page, we can make any input and click on the next link.
Level 6: Follow the 🐇
For this task the description gives some good hints on how the application works.
The filter is configured to blacklist and thus prohibit access to “remote” content. In this case it should prohibit access to other remote servers by blacklisting
Anyway the filter is easy to bypass because it is not case sensitive. In this case we can simply use Https, hTTps or httpS to execute our payload.