XSS Game - Google
A few years ago, Google launched a site, xss-game.appspot.com to train for XSS vulnerabilities by offering 6 challenges to solve. This document summarizes the possible solutions for challenges 1 to 5.
Quick summary of XSS:
An XSS (Cross-Site Scripting) attack is a security vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users.
XSS exploits occur when user input is improperly sanitized or validated, allowing attackers to inject their malicious script
These scripts can steal sensitive data (like cookies or session tokens), deface websites, or redirect users to malicious sites.
There are three main types of XSS: stored, reflected, and DOM-based, each differing in how and where the malicious code is injected and executed.
To begin, some useful resources
- evuln xss-encoder/
- XSS Filter Evasion Cheat Sheet
- xss-payload-list
- resources.infosecinstitute.com - Deadly Consequences of XSS
- portswigger.net - Cross-site scripting (XSS) cheat sheet
- hacktricks - XSS
Level 1 - Reflected
In this level, we have an html form to perform a search. The searched word will then be displayed by a new page, as below for the input test
Solution
Characters are not escaped. We can then generate an XSS alert using the script tags to contain the malicious code.
<script>alert("Hello")</script>
Level 2 - XSS persistence
In this one we are dealing with a stored xss. The user can post a message and it is in this that we will be able to put our malicious script.
Solution
To make it simple, I put the XSS in the form of a clickable link, but one could imagine using images, iframes tags, as well as automatically directing the user without going through a click.
<a href="javascript:alert()">Link</a>
Level 3 - url
In this challenge, the website displays images that can be selected
Solution
Looking at the url after clicking an image, we can see that the website displays the image specified by the fragment value. With the following url: xss-game.appspot.com/level3/frame#2, the cloud2 image will be displayed.
Looking at the source code, we can see the following code:
The objective will be to escape the url in order to add a script tag after the src attribute of the img tag
'><script>alert("HEllo")</script>
Level 4
At level 4 we have a timer
Solution
Looking at the code more closely, we can see that a startTimer function is called
The attack will be devoted to the part
seconds = parseInt(seconds) || 3
Since seconds is the value of our input, we can manage to execute parseInt and then an alert by adding a single quote, a parenthesis and a semicolon.
The payload is the following:
3');alert('test
Level 5 - DOM
Observing signup.html, we see that the url value of the link depends on the next attribute
<a href="">Next >></a>
We can therefore modify the value of the link.
For this challenge, we use the bookmarklet functionality of web browsers. These allow you to indicate in a hyperlink or an url the javascript code that will be executed by the browser. Its url starts with javascript:
Reference: wikipedia.org - Bookmarklet, medium.com - Bookmarklets are Dead…
Solution
href="/level5/frame/signup?next=javascript:alert('Hello')"
Reference used for this challenge: sagarvd01 - Learning XSS with Google’s XSS Game
Reference
- xss-game.appspot.com
- ChatGPT with the input “Write me a description of xss attack in a few line”