Level 3
Link: http://xss-game.appspot.com/level3Solution
xxs.jpg' onerror='alert("xss")'/>Result
Analysis
Hint 1: Clicking on any tab causes the tab number to be displayed in the URL fragment. This hints that the value after the # tag controls the behavior of the page. i.e. it is an input variable.
To confirm, let's analyze the code.
Inside the event handling method, the value provided after the # in the URL is directly passed into the chooTab() method. No input validation is performed.
The value passed to the chooseTab method (the value of the num variable) is directly injected into the <img> tag in line 17. This is an unsafe assignment and it is the vulnerable part of the code.
Conculution
Now all we have to do is now to craft a payload that would adjust the <img> tag to execute a Javascript. Remember, the <script> tag would not work here since the var html is added to the dom dynamically. Hence EVENTS are our Aces here.Thereare many ways to exploit this. I will chose to use the existing img tag and change the src to something that doesn't exist, hence forcing it to fall in to execute an onerror even which I will pass through the URL.
xxs.jpg' onerror='alert("xss")'/>
But
ReplyDelete'><_script_>alert(3)
is working too in this level
(u need to delete "_")
After @alert(3) u need to add closing tag of script
DeleteYour code is not working
Delete