Skip to main content

Posts

Solving all Google XSS Game levels

Google XSS game is a very good starting point for learning cross-site-scripting by doing. I have written six blog posts explaining how to solve each level by proper analysing rather than just being a script kiddie. Link for the game:  https://xss-game.appspot.com/ Links for the blog posts: https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-1.html https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-2.html https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-3.html https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-4.html https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-5.html https://offsec-sureshatt.blogspot.de/2017/04/google-xss-game-solving-level-6-final.html
Recent posts

Google XSS Game - Solving Level 6 (Final)

Level6 Link:  https://xss-game.appspot.com/level6 Solution Host a simple Javascript file which can be fetch through a URL (https). The Javascript file need only to contain an alert() method. alert("XSS") Place the URL to the https file right after the # tag of the URL. Use HTTPS instead of https in the URL to the scropt to bypass the check. Result Analysis The vulnerability lies withing how the code handles the value after the # tag. In the line 45, the value right after the # tag is taken as the gadget name. And then in line 48, this value is directly passed into the includeGadget() method. And in the includeGadget() method a <script> tag is created [line 18] and the url (gadgetName) parameter value is directly used as the src attribute of the <script> tag [line 28]. This means, we can completly control the src attribute of the <script> tag being created. That is, with this vulnerability we can inject our own Javascript file into

Google XSS Game - Solving Level 5

Level 5 Link:  https://xss-game.appspot.com/level5 Solution In the "signup" page assign the following value to the next query parameter and click the Next button in the page. ?next=javascript:alert('XSS'); Result Analysis  The vulnerability can be easily detected if the "Next" link in the "signup" page is inspected. The "next" URL parameter's value is "confirm" The href of the "Next" link is also "confirm" The href attribute value of the "Next" link is "confirm", which is exactly the value of the "next" URL query parameter. Conclusion This means, using the "next" query parameter can be used to inject a Javascript code to the href attribute of the "Next" link. Following is the best way to do it. As soon as the user clicks on the link, the script triggers. javascript:alert('XSS');

Google XSS Game - Solving Level 4

Level 4 Link: https://xss-game.appspot.com/level4 Solution If inserted in the text field 3'); alert('XSS Or if injected directly into the URL using timer query parameter ?timer=3%27)%3b+alert(%27XSS Second solution if inserted in the text field 3')+ alert('XSS Or if injected directly into the URL using timer query parameter ?timer=3%27%29%2Balert%28%27XSS Result Analysis It is obvious the value entered in the textbox is tranfered to the server over the timer parameter in the URL. Lets exmine the code to see how the timer parameter is handled. In the line 21 of the timer.html, the startTimer() method is being called in the onload event. However, the timer parameter is directly passed to the startTimer() method. Lets exmine the network trafic to confirm this. Request with timer=3 The parameter value 3 is directly added to the startTimer() method without any filtering. What we can try to do here is to inject an alert() function to be ex

Google XSS Game - Solving Level 3

Level 3 Link: http://xss-game.appspot.com/level3 Solution xxs.jpg' onerror='alert("xss")'/> Result Analysis Hint 1: Clicking on any tab causes the tab number to be displayed in the URL fragment. This hints that the value after the # tag controls the behavior of the page. i.e. it is an input variable. To confirm, let's analyze the code. Inside the event handling method, the value provided after the # in the URL is directly passed into the chooTab() method. No input validation is performed. The value passed to the chooseTab method (the value of the num variable) is directly injected into the <img> tag in line 17. This is an unsafe assignment and it is the vulnerable part of the code. Conculution Now all we have to do is now to craft a payload that would adjust the <img> tag to execute a Javascript. Remember, the <script> tag would not work here since the var html is added to the dom dynamically. Hence EVENTS are

Google XSS Game - Solving Level 2

Level2  Link: https://xss-game.appspot.com/level2 Solution <img src="noimage" onerror="alert('xss')"> Result Analysis I posted mypost' and shared my status. This is what I get. Whatever I typedin simply appeared in the page right after I click Share status! Lets see the source. The text I posted seems directly put inside a <blockquote> tage. So even a simple <script> tage we used in Level1 should work here. BUT IT WILL NOT!.  Let us exmine the code to understand why. Toggle to the code view of the game and exmine the index.html page and see how the text is added to the HTML page. Important part is line 32 highlighted in the above code. The generated html fragement (html variable in the above code) is added to the mail html using the innerHTML method.  So when the browser parsing this html fragment (html variable in the above code), it will not execute any script tag define withing that html fragment. Concl

Google XSS Game - Solving Level 1

Level 1 Link:  https://xss-game.appspot.com/level1 Solution <script>alert('xss')</script> Result Analysis This task needs only the basic knowledge. Lets see why the most primitive injections work here rightaway. Lets do a simple query and inspect the resulting HTML page. Using the query with ' as a special character Result of query. The special character ' apears in the result The provided query text is placed directly in a <b> element Conclution Provided query text passed as a URL query parameter to the second page. The special character (') in the query string was not filtered out. This indicates it might be possible to push special characters like <, >, ', ", / which can be used to inject a code. Provided text apeared directly inside a <b> tag. Which indicate a script tag would be executed without any problem if it was set in between the <b> and </b>.