Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Since I hadn’t done the Google XSS game yet, I figured now was a good as any to work on my XSS.
Level 1 presented me with a basic search box, that appeared to take the query string and put it directly on the page.
With this knowledge in hand, I figured a simple script payload would give me an alert on the results page.
I was correct in my assumption, and got my XSS alert to easily clear Level 1.
Level 2 consisted of a “Comments” section on a website, that appeared to support at least some HTML based on the madness link.
My initial plan was an empty image tag that would pop-up an alert on mouseover.
This indeed worked, and gave me my alert to move on to Level 3.
That said, after a bit of research, I realized that I wanted a payload that would always execute, regardless of whether or not a user would mouse over it. For this I decided on a bad image location combined with an onerror alert.
This worked even better, and my payload executed every time I loaded the page!
Moving on to Level 3, I found an image gallery that would dynamically load the selected image, instead of hard-coded image tags.
I figured the URL would be my injection point into the chooseTab function, so I decided to test that theory out.
Knowing that I was able to inject code into the end of that image link via the URL, I slightly modified my payload from Level 3, and properly escaped the original image tag. This worked, and gave me the XSS alert I needed to clear Level 3.
Level 4 consisted of a timer that took its duration from a text box on the page. This, in turn, would call a startTimer function with that number of seconds.
After looking at the image for the loading.gif again, I realized that I could enter in my number of seconds, escape from the onload, and add my JavaScript alert at the end. Once I got the proper escape sequence down, this worked and I was able to beat Level 4.
NOTE: the semi-colon in the injection needs to be URL encoded (%3B) as it is a reserved character under the URL RFC.
When I got to Level 5, there was a simple e-mail registration form, that I thought I would be able to inject my payload into the e-mail text box.
Unfortunately, once I clicked “Next”, I was just taken to a confirmation page that redirected me back to where I was.
Landing back at the original sign-up page, I noticed that the next parameter in the query string was being used for the redirect. I changed the “confirm” value to “test”, to see if this would take me to a different/404 page.
This indeed redirected me to /frame/test, so I knew I had my injection point correct.
With all of this information in hand, I decided to try a basic javascript:alert as my redirect page, to see where the application would take me.
This worked, and I was able to continue to Level 6.
With Level 5 completed, it was time to move on to the next (and final) level. Level 6 looked like it would load a local gadget.js file, and then execute it.
My first attempt was to load a very basic alert (alert(‘xss’);) from a Pastebin that I created for this purpose. Unfortunately, there was some input filtering that prevented my remote payload from being executed.
After taking a look at the source again, it seemed like the script was just rejecting anything containing “http”.
Having the filter in hand, I decided to try hTTp as opposed to http to see if my script would still be loaded by the page.
This worked, and I was able to fully complete the Google XSS Challenge!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.