Google XSS Game
So Google has this xss game where you can practice or test your xss vulnerability skills. You will have to make your own xss payloads as per the scenario of the task and get through the levels. I have just found out this website and I’ll try to do it and post my solutions with my understanding of the task here.
Level 1: This is a very simple task. Any input we add, is being taken as an HTML query. So when we add a script tag, it is directly executed.
<script>alert()</script>
Level 2: This get pretty tricky but we see in hint #3 that it has something to do with img. So I tried adding an image with html code and on failing to link to that image it will give an error.
<img src=’x’ onerror=’alert()’>
Level 3: Now we have no place to input out paylod but the URL bar. For this we will have to look at the source code and see where we can escape the default string and enter our payload. We see how the images are being load in the three tabs.
“<imgsrc=’/static/level3/cloud” + num + “.jpg’/>“;
So here when we give it a number followed by ‘ we can escape the imgsrc target link and go on with our payload. Comment the rest of the code with // after our payload.
1′ onerror=alert()//
Level 4: We are getting a input field where we can input a timer and it will execute some function. Looking at the codes below, we see <img src=”/static/loading.gif” onload=”startTimer(‘{{ timer }}’);” /> To escape this we will give a number let’s say 2 which will replace the {{ timer }} in the line above so it will look like (‘2’) ; so we add ‘ along with our input and pass alone arithmetic operator like + then followed by alert() and then ); just as the original code and in the end comment out rest of the line by //
2’+alert());//
Level 5: When we click on sign up, we see in the url next=confirm. Also notice the button next is taking you to frame/confirm. Also looking at source code <a href=”{{ next }}”>Next >></a> shows that whatever is in the next= field, the next button redirects to it. So the payload here will actually be in the URL. Replace the url with this and click next for popup
https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert()
Level 6: //www.google.com/jsapi?callback=alert
