Google XSS game is a very good starting point for learning cross-site-scripting by doing. I have written six blog posts explaining how to solve each level by proper analysing rather than just being a script kiddie. Link for the game: https://xss-game.appspot.com/ Links for the blog posts: https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-1.html https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-2.html https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-3.html https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-4.html https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-5.html https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-6-final.html
Level6 Link: https://xss-game.appspot.com/level6 Solution Host a simple Javascript file which can be fetch through a URL (https). The Javascript file need only to contain an alert() method. alert("XSS") Place the URL to the https file right after the # tag of the URL. Use HTTPS instead of https in the URL to the scropt to bypass the check. Result Analysis The vulnerability lies withing how the code handles the value after the # tag. In the line 45, the value right after the # tag is taken as the gadget name. And then in line 48, this value is directly passed into the includeGadget() method. And in the includeGadget() method a <script> tag is created [line 18] and the url (gadgetName) parameter value is directly used as the src attribute of the <script> tag [line 28]. This means, we can completly control the src attribute of the <script> tag being created. That is, with this vulnerability we can inject our own Javascript file into