Google XSS Game – Solutions

Since I hadn’t done the Google XSS game yet, I figured now was a good as any to work on my XSS.

Level 1

Level 1 presented me with a basic search box, that appeared to take the query string and put it directly on the page.

With this knowledge in hand, I figured a simple script payload would give me an alert on the results page.

I was correct in my assumption, and got my XSS alert to easily clear Level 1.

Level 2

Level 2 consisted of a “Comments” section on a website, that appeared to support at least some HTML based on the madness link.

My initial plan was an empty image tag that would pop-up an alert on mouseover.

This indeed worked, and gave me my alert to move on to Level 3.

That said, after a bit of research, I realized that I wanted a payload that would always execute, regardless of whether or not a user would mouse over it. For this I decided on a bad image location combined with an onerror alert.

This worked even better, and my payload executed every time I loaded the page!

Level 3

Moving on to Level 3, I found an image gallery that would dynamically load the selected image, instead of hard-coded image tags.

I figured the URL would be my injection point into the chooseTab function, so I decided to test that theory out.

Knowing that I was able to inject code into the end of that image link via the URL, I slightly modified my payload from Level 3, and properly escaped the original image tag. This worked, and gave me the XSS alert I needed to clear Level 3.

Level 4

Level 4 consisted of a timer that took its duration from a text box on the page. This, in turn, would call a startTimer function with that number of seconds.

After looking at the image for the loading.gif again, I realized that I could enter in my number of seconds, escape from the onload, and add my JavaScript alert at the end. Once I got the proper escape sequence down, this worked and I was able to beat Level 4.

NOTE: the semi-colon in the injection needs to be URL encoded (%3B) as it is a reserved character under the URL RFC.

Level 5

When I got to Level 5, there was a simple e-mail registration form, that I thought I would be able to inject my payload into the e-mail text box.

Unfortunately, once I clicked “Next”, I was just taken to a confirmation page that redirected me back to where I was.

Landing back at the original sign-up page, I noticed that the next parameter in the query string was being used for the redirect. I changed the “confirm” value to “test”, to see if this would take me to a different/404 page.

This indeed redirected me to /frame/test, so I knew I had my injection point correct.

With all of this information in hand, I decided to try a basic javascript:alert as my redirect page, to see where the application would take me.

This worked, and I was able to continue to Level 6.

Level 6

With Level 5 completed, it was time to move on to the next (and final) level. Level 6 looked like it would load a local gadget.js file, and then execute it.

My first attempt was to load a very basic alert (alert(‘xss’);) from a Pastebin that I created for this purpose. Unfortunately, there was some input filtering that prevented my remote payload from being executed.

After taking a look at the source again, it seemed like the script was just rejecting anything containing “http”.

Having the filter in hand, I decided to try hTTp as opposed to http to see if my script would still be loaded by the page.

This worked, and I was able to fully complete the Google XSS Challenge!