Posted on

XSS game

Today we will have a look at the different approaches which can be taken to validate XSS. There is a game by google which can help us in understanding this. The game has 6 levels, each one different from the other. The headings are hyperlinked. feel free to play it ..enoy. Let’s crack the code below.

Level 1 – Hello, world of XSS

This one is straight forward : Script tags will do the job

level 1 -1

level 1 -2

Level 2 – Persistence is key

This one is an example of Stored XSS. Script tags may not work everywhere, Image tags may work.

level 2 -1

level 2 -2

Level 3 – That sinking feeling…

It is noticeable that frame no changes as we click on diff images. Lets see how the error is handled in case we enter a frame no manually which does not exists.

level 3 -1

level 3-2

Level 4 – Context matters

A tough one.

level 4 -2

Level 5 – Breaking protocol

Here we can see that once sign up is clicked, URL changes and we have next=confirm.

level 5 -1

We altered the URL as below. Now even if you hit go without entering the email, the url will remain same.

level 5 -2

Now enter the mail and hot next.

level 5 -3

Level 6 – Follow the 🐇

Gadget being fetched from /static

level 6-1

Lets see if we can change that and refresh.

level 6 -2

This level can be passed in 2 ways. Refer to a JS object from some other source.Second way is as  below.

level 6 -3

DESSERT TIME

cake

Leave a comment