Google XSS Game

In this post I solve the Goolge beginners XSS challanges. These are easier and especially recommended for beginners.

Level 1: Hello, world of XSS

Image Challange1.1

This entry-level task is a simple example of XSS. Regardless of whether the payload is passed within the url or directly in the application it will pop.


// In the input field
//In the url

The code is integrated into the application without further verification, so that the browser understands and executes it as part of the page code.

Level 2: Persistence is key

Image Challange2.1

This time there is a validation that prevents us from using the script tag. To work around this, we can insert an image tag with an invalid URL and an onerror attribute that triggers a javascript alert. I have also tested functions like onmouseover or onload, but they did not work here. Unlike the first task, our payload in this example is stored in the application so it is a stored XSS.


<img src='x' onerror='alert(0)'>

Image Challange2.2

Level 3: That sinking Feeling…

Image Challange3.1

This application gives the user 3 images to choose from. Depending on which image the user selects, the number of images in the URL changes.

My first step was to check what happens if i enter a number in the URL that does not exist on the application for example #6.

Image Challange3.2

My request is processed normally but no picture is displayed - NICE! because the image is obviously not existent but the application stil delivers a valid response.

The next step was to test what happens when I type in known JavaScript escape characters like ' single quote or " double quote.

Image Challange3.3

As it turned out it is possible to add additional commands by inserting single quotes.

Now only a suitable payload must be added.


Image Challange3.3

Level 4: Context matters

Image Challange4.1 In this task we can pass a number to the page input which is passed to a timer function. The input is not checked, so special characters and letters can also be entered.

Adding a single qoutes leads to an error in the startTimer function.
Image Challange4.1

If we now add a ")" the function call looks like this:


to create a valid statement and trigger an alert the following part must be added:

//Added part

//Valid Statement

Our payload is now valid and is processed correctly.

Level 5: Breaking protocol

Image Challange5.1

The welcome page does nothing special, it only leads us to the login page. On the login page, we can make any input and click on the next link.

Image Challange5.2

The next parameter is used to set the window.location. We can use this parameter to execute our Javascript function.


Level 6: Follow the 🐇

Image Challange6.1

For this task the description gives some good hints on how the application works.

The filter is configured to blacklist and thus prohibit access to “remote” content. In this case it should prohibit access to other remote servers by blacklisting https.

Image Challange6.2

Anyway the filter is easy to bypass because it is not case sensitive. In this case we can simply use Https, hTTps or httpS to execute our payload.

Image Challange6.3