Skip to main content

Google XSS Game - Solving Level 6 (Final)

Level6

Link: https://xss-game.appspot.com/level6

Solution

Host a simple Javascript file which can be fetch through a URL (https). The Javascript file need only to contain an alert() method.
alert("XSS")
Place the URL to the https file right after the # tag of the URL. Use HTTPS instead of https in the URL to the scropt to bypass the check.

Result

Analysis

The vulnerability lies withing how the code handles the value after the # tag.

In the line 45, the value right after the # tag is taken as the gadget name. And then in line 48, this value is directly passed into the includeGadget() method.


And in the includeGadget() method a <script> tag is created [line 18] and the url (gadgetName) parameter value is directly used as the src attribute of the <script> tag [line 28].

This means, we can completly control the src attribute of the <script> tag being created. That is, with this vulnerability we can inject our own Javascript file into the code.

The only hurdle is the security check done in the line 21. But this can be easily by passed due to it's case sensitivity. It blocks any value with https or http. But this filter can be bypassed by using Http, HTtpS and so on since URLs are actualy case insensitive.

Conclusion  

We can inject a URL of our own hosted Javascript file into the webapplications URL after the # tag and the URL should not be using https but anything like HTTPS or HttpS to bypass the regular expression for security checking.

Labels:

Comments

  1. hoangdesuSeptember 4, 2023 at 2:44 PM

    I found another solution. You don't have to host your js file anywhere. Instead just use the base64 encoded data of the alert script. For instance alert('hi'); will be turned into "data:undefined;base64,YWxlcnQoJ2hpJyk7".
    Full working URL: https://xss-game.appspot.com/level6/frame#data:undefined;base64,YWxlcnQoJ2hpJyk7
    Love this series, thanks for the previous solutions 👏

    ReplyDelete

Post a Comment

Popular posts from this blog

Google XSS Game - Solving Level 4

Level 4 Link: https://xss-game.appspot.com/level4 Solution If inserted in the text field 3'); alert('XSS Or if injected directly into the URL using timer query parameter ?timer=3%27)%3b+alert(%27XSS Second solution if inserted in the text field 3')+ alert('XSS Or if injected directly into the URL using timer query parameter ?timer=3%27%29%2Balert%28%27XSS Result Analysis It is obvious the value entered in the textbox is tranfered to the server over the timer parameter in the URL. Lets exmine the code to see how the timer parameter is handled. In the line 21 of the timer.html, the startTimer() method is being called in the onload event. However, the timer parameter is directly passed to the startTimer() method. Lets exmine the network trafic to confirm this. Request with timer=3 The parameter value 3 is directly added to the startTimer() method without any filtering. What we can try to do here is to inject an alert() function to be ex...
Post a Comment
Read more

Google XSS Game - Solving Level 3

Level 3 Link: http://xss-game.appspot.com/level3 Solution xxs.jpg' onerror='alert("xss")'/> Result Analysis Hint 1: Clicking on any tab causes the tab number to be displayed in the URL fragment. This hints that the value after the # tag controls the behavior of the page. i.e. it is an input variable. To confirm, let's analyze the code. Inside the event handling method, the value provided after the # in the URL is directly passed into the chooTab() method. No input validation is performed. The value passed to the chooseTab method (the value of the num variable) is directly injected into the <img> tag in line 17. This is an unsafe assignment and it is the vulnerable part of the code. Conculution Now all we have to do is now to craft a payload that would adjust the <img> tag to execute a Javascript. Remember, the <script> tag would not work here since the var html is added to the dom dynamically. Hence EVENTS are ...
3 comments
Read more