Complete Solution to XSS-GAME by Google to Practice XSS

6 1,003

What is Cross Site Scripting (XSS)?

As defined by WikipediaCross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

But today we will not be discussing What, How & Why of XSS but rather we will solve the 6 levels of Google’s XSS-GAME. Tutorial on XSS will be covered later and hence this article is especially for people who are familiar with the term XSS at least and that’s it.

Now that we have very brief overview lets move on the real game now. Shall we?


What is XSS-Game?

XSS-Game is a training program, you will learn to find and exploit XSS bugs. You’ll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications.” — Taken from game page

There are 6 Levels of varying difficulty with different concepts and in almost every case you’re given the source code so that you can evaluate the XSS payload that will work. It is very beneficial since it gives you a chance to practice XSS hands-on.

Note: It is recommended that you practice the at least once before you look into the solutions here. Also, I will not embed the main frame. I will give an image and write the payload followed by an explanation why this works So without further adieu.


Level 1: Hello, world of XSS

  • Mission Objective

    Inject a script to pop up a JavaScript in thealert() frame.

    Try it first and then see the solution in the next tabs.

  • This is a very straight forward level. Simply write an alert function within script tags.

    <script>alert(/xss/)</script>

    After you write this in the search bar press okay and you’re done. See the image below.

    XSS game level 1 solution

  • In the game page, toggle the code and try to understand what it does. It is a small Django Python web app. But following lines are important for us to understand.

    query = self.request.get('query', '[empty]')
     
    # Our search engine broke, we found no results :-(
    message = "Sorry, no results were found for <b>" + query + "</b>."
    message += " <a href='?'>Try again</a>."
    
    # Display the results page
    self.render_string(page_header + message + page_footer)

    From the first line, It is understood that it is taking our query and crafting a message by directly adding ti without any filter and this makes the code vulnerable to XSS. Finally, rendering the web page. So, we can simply write the XSS within script tags and get it done.

  • You might also like More from author

    6 Comments

      1. Animesh Shaw says

        Yeah, I see that. I was also a little confused at the last one. But I should have tried it your way too. Well, point taken 😀

        1. Arinerron says

          The regex didn’t check for a space before the URL.

          1. Animesh Shaw says

            Yeah, I see that now. I am thinking that I should create an article on how to bypass different filters and test cases Of course we have OWASP filter evasion docs but still something a little more hands-on.

            1. Joseph Walton-Rivers says

              You can also get round it by using HTTPS:// (as it only checks for lowercase).

            2. Animesh Shaw says

              Yeah. I got that part. After @Aninerron’s gist solution. I tried it with upper case version. Guess what I was thinking too much?

              I will include your and his suggestions soon.

    Leave A Reply

    Your email address will not be published.