Skip to main content

Google XSS Game - Solving Level 2

Level2 

Link: https://xss-game.appspot.com/level2

Solution

<img src="noimage" onerror="alert('xss')">

Result

Analysis

I posted mypost' and shared my status. This is what I get.

Whatever I typedin simply appeared in the page right after I click Share status! Lets see the source.


The text I posted seems directly put inside a <blockquote> tage. So even a simple <script> tage we used in Level1 should work here. BUT IT WILL NOT!. 

Let us exmine the code to understand why. Toggle to the code view of the game and exmine the index.html page and see how the text is added to the HTML page.


Important part is line 32 highlighted in the above code. The generated html fragement (html variable in the above code) is added to the mail html using the innerHTML method.  So when the browser parsing this html fragment (html variable in the above code), it will not execute any script tag define withing that html fragment.

Conclution

HTML parser will not execute a <script> tag when it parses htmls added via the innerHTML method. Hence, injecting a <script> won't work here.
Solution is to use events. Events will execute the defined javascripts.
In the above injection we are loading an image that doesnt exist, which causes to trigger an onerror event. In onerror event will execute our alert method.

HTML events list: https://www.w3schools.com/jsref/dom_obj_event.asp
Labels:

Comments

  1. Miklós QuartusMay 14, 2020 at 1:14 PM

    (y) clear explanation

    ReplyDelete
  2. AnonymousFebruary 3, 2022 at 8:37 AM

    Vimeo | Best Vimeo Videos, Movies and Stock Photos - Video
    Discover the best Vimeo video on Vimeo, the home download youtube videos to mp3 for high quality original videos produced using Vimeo's collection of high quality high quality high

    ReplyDelete

Post a Comment

Popular posts from this blog

Google XSS Game - Solving Level 4

Level 4 Link: https://xss-game.appspot.com/level4 Solution If inserted in the text field 3'); alert('XSS Or if injected directly into the URL using timer query parameter ?timer=3%27)%3b+alert(%27XSS Second solution if inserted in the text field 3')+ alert('XSS Or if injected directly into the URL using timer query parameter ?timer=3%27%29%2Balert%28%27XSS Result Analysis It is obvious the value entered in the textbox is tranfered to the server over the timer parameter in the URL. Lets exmine the code to see how the timer parameter is handled. In the line 21 of the timer.html, the startTimer() method is being called in the onload event. However, the timer parameter is directly passed to the startTimer() method. Lets exmine the network trafic to confirm this. Request with timer=3 The parameter value 3 is directly added to the startTimer() method without any filtering. What we can try to do here is to inject an alert() function to be ex...
Post a Comment
Read more

Google XSS Game - Solving Level 6 (Final)

Level6 Link:  https://xss-game.appspot.com/level6 Solution Host a simple Javascript file which can be fetch through a URL (https). The Javascript file need only to contain an alert() method. alert("XSS") Place the URL to the https file right after the # tag of the URL. Use HTTPS instead of https in the URL to the scropt to bypass the check. Result Analysis The vulnerability lies withing how the code handles the value after the # tag. In the line 45, the value right after the # tag is taken as the gadget name. And then in line 48, this value is directly passed into the includeGadget() method. And in the includeGadget() method a <script> tag is created [line 18] and the url (gadgetName) parameter value is directly used as the src attribute of the <script> tag [line 28]. This means, we can completly control the src attribute of the <script> tag being created. That is, with this vulnerability we can inject our own Javascript file into...
2 comments
Read more

Configuring Log level and Log file for TOR - KaliLinux

The configuration file for TOR is torrc [1] which is in the path /etc/tor/torrc . You have to enable some configurations in this file manually to enable logging in different log levels. Tor has several log levels: err": something bad just happened, and we can't recover. Tor will exit. "warn": something bad happened, but we're still running. The bad thing might be a bug in the code, some other Tor process doing something unexpected, etc. The operator should examine the message and try to correct the problem. "notice": something the operator will want to know about. "info": something happened (maybe bad, maybe ok), but there's nothing you need to (or can) do about it. "debug": for everything louder than info. It is quite loud indeed. Lets enable "notice" and "debug" and log them into separate files. Find the following section of the config file: The torrc config file log configuration Uncommen...
Post a Comment
Read more