Google XSS Game Solutions
Walk through and solutions for the Google XSS game from level 1- 6
What’s in the Blog
The blog provides solutions to all the 6 levels in the XSS game hosted by google. As the game is supposed to be a learning exercise, I will discuss varied solutions for the same level in order to provide insight on different approach to exploit an XSS.
If you have already solved the game, check out if you thought through the different methods to exploit the XSS bug.
Background
Cross-site scripting (XSS) bugs are one of the most common and dangerous types of vulnerabilities in Web applications. These bugs can allow your hackers to steal or modify user data in an app.
These bugs are acknowledged by Google as potential threat to security posture of a Web application so they have come up with a training program. Through the program you can learn to find and exploit XSS bugs. You’ll can use this knowledge in preventing such bugs from happening in your applications. The program is created in game format with 6 levels.
Link to XSS game: https://xss-game.appspot.com/
In each level of the game you will be provided a website for a web application which accepts some kind of user input. The goal is to use XSS bug and make the website throw an alert or notification.
TLDR
Payloads
Level-1:
<script>alert("XSS")</script>Level-2:
<img src="random_string" onerror=alert("XSS")>or<img src="random_string" onerror="javascript:alert(1)"/>
Level-3:
Level-1: HELLO, WORLD OF XSS
Looking at the site it’s pretty normal site. It has a input for a query and a search option. I feel that whatever I search for gets embedded into the page content.
Let me check first with a some random input.
Yes, I does look like the input provided by the user is being embedded within the site content.
As the level name suggests, it’s pretty much vanilla XSS exploit. A simple code like:
<script>alert("XSS")</script>is good enough to check if the site is vulnerable to to XSS.
Once I hit the search option I immediately trigger an alert. The alert also specifies that I can move to the next level. So, on to next one.
Level-2: Persistence is key
The website looks like a it’s some kind of chatting app. After having a closer look at the post already existing I feel maybe the message that we can share can accept HTML Tags. You can always clear your suspicion by going through the code or better post a test message with different HTML tags. I have checked the site by posting content utilizing different HTML tags.
I’m sure that the website is performing some type of input sanitization to the user messages, and it is removing the script tag and it’s content. This is a basic mechanism to protect against XSS attacks on the site (simply remove all the content with script tag) but not foolproof. Whenever such input sanitizations are present they raise the bar for XSS bugs, it means the XSS payload need to be more sophisticated.
Now, I’m checking if the website allows posts to embed image
The exploit worked!
The website allows images to be embedded using HTML tags but not JS tags.
