独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

Google XSS Game for Beginners

Cross site scripting is one the easiest of all bugs to find, if you are well aware of how and where to find them. It is the perfect gaming playground for beginner bug bounty hunters.

Over time, finding XSS have started to be more and more uncommon, owing to the different frameworks getting introduced each day.

What most of us get wrong is; going to a random repo on Github, copy and try each of the XSS payloads. This is the first mistake. We must be aware of how and why the payload works and how to utilize it. That is why, one of my personal recommendation would be to get some basic knowledge of web dev languages, otherwise you will be just banging your head all the time with no use :( .

Google pays a handsome amount for reporting XSS on its platform, but it is becoming more and tough to find them; though there are some unique cases also where someone applied “think different “ method to pop alert at places which was considered impenetrable (Mr. Masato, are you there?). {He found XSS in Google Search}

Now you know the purpose of the post. Let us begin the show without wasting your and my time :P

Clickin’ on the “let me at ’em “ button will take to Level 1.

Mission Description:This level demonstrates a common cause of cross-site scripting where user input is directly included in the page without proper escaping.Interact with the vulnerable application window below and find a way to make it execute JavaScript of your choosing. You can take actions inside the vulnerable window or directly edit its URL bar.

Mission Objective:Inject a script to pop up a JavaScript alert() in the frame below. Once you show the alert you will be able to advance to the next level.

You can view the frame source via view-source: .

Enter hello to the url bar. You will find that hello is reflection back to the page.

Now type hello<script>alert(1)</script> and you will see that there is no encoding happening and the popup gets triggered.

Since the tags are not getting encoded or blocked, we can insert any new html entity within its context to trigger a basic popup. This type of basic XSS is highly uncommon in real world life though. :( You may find them in very insecure sites.

Mission Description: Web applications often keep user data in server-side and, increasingly, client-side databases and later display it to users. No matter where such user-controlled data comes from, it should be handled carefully.This level shows how easily XSS bugs can be introduced in complex apps.

Mission Objective: Inject a script to pop up an alert() in the context of the application.Note: the application saves your posts so if you sneak in code to execute the alert, this level will be solved every time you reload it.

This is an example of stored XSS. Running basic hello<script>alert(1)</script> won’t work here.

They will to trigger situations when a particular action is performed.

A basic and commonly used payload among security circles is <img src=x onerror=”alert(0)”/>

Using this will give the popup and complete level 2.

What we do here is set the img src equal to x, but since it never exists it will throw an error. The onerror as we specified will be triggered for the event and give the alert(0).

This XSS payload has several variations which you may find online.This is an example of stored XSS. Running basic hello<script>alert(1)</script> won’t work here.

A basic and commonly used payload among security circles is <img src=x onerror=”alert(0)”/>

Using this will give the popup and complete level 2.What we do here is set the img src equal to x, but since it never exists it will throw an error.

the onerror as we specified will be triggered for the event and give the alert(0).This XSS payload has several variations which you may find online.

Mission Description: As you’ve seen in the previous level, some common JS functions are execution sinks which means that they will cause the browser to execute any scripts that appear in their input. Sometimes this fact is hidden by higher-level APIs which use one of these functions under the hood.The application on this level is using one such hidden sink.

Mission Objective: As before, inject a script to pop up a JavaScript alert() in the app.Since you can’t enter your payload anywhere in the application, you will have to manually edit the address in the URL bar below.

Clicking on the different image tabs will load different set of pics.

One careful look will help us to find the JS which handles the user supplied input and the window.location may be exploited.

Mission Description: Every bit of user-supplied data must be correctly escaped for the context of the page in which it will appear. This level shows why.

Mission Objective: Inject a script to pop up a JavaScript alert() in the application.

This is a countdown timer and it has a startTimer() function. I repeat again, no random payloads, use the console, inspect element etc.

f we put 3’ we will see in the error console Uncaught SyntaxError: missing ) after argument list.The best way to solve this is to escape the function startTimer() and inject our own script there. We also find that 3’ gets encoded as &#x27; for ‘

So maybe we can use it as reverse and introduce 3&#x27; to the url bar.HTML decoding and encoding behaviour of browsers is an important topic and you should read more about it. 3’),alert(‘2 will popup and complete the level. ‘) helped to close the startTimer() function and now we are able to inject our script as alert(2) .

Mission Description: Cross-site scripting isn’t just about correctly escaping data. Sometimes, attackers can do bad things even without injecting new elements into the DOM.

Mission Objective: Inject a script to pop up an alert() in the context of the application.

This level is one example for DOM XSS.

The javascript protocol helps to directly trigger any statements. We can take advantage of it put something like javascript:alert(2) for next. So, on clicking next button, the xss gets triggered due via the context of javascript: .

Mission Description: Complex web applications sometimes have the capability to dynamically load JavaScript libraries based on the value of their URL parameters or part of location.hash.

This is very tricky to get right — allowing user input to influence the URL when loading scripts or other potentially dangerous types of data such as XMLHttpRequest often leads to serious vulnerabilities.

Mission Objective: Find a way to make the application request an external file which will cause it to execute an alert().Here we see that the js gets loaded from an external site. Just replace it with malicious page having alert(2) and call it. You will see that it gets blocked because it doesn’t allow httpS or HTTPS. Simple reverse one like htTps:// to bypass the filter.

TL;DR

This was a basic knowhow to the popup world. Keep popping guys. Till then, goodbye.

Refer these guys, BruteLogic and Ashar Javed, they tweet good stuff about this topic from time to time. :)

Add a comment

What is your view?

Send

Related posts:

Sincere Gratitude

I am not sure if this email will reach you, but I just wanted to take a moment to express my heartfelt gratitude for everything you and your team have done for me during this difficult time. Though I…

Healthy Work Environment

A healthy work environment is essential for the physical and mental well-being of employees. It can improve productivity, reduce absenteeism, and promote a positive work culture. One key aspect of a…

Maths Tutoring Brisbane

Maths Tutoring Brisbane. “Maths Tutoring Brisbane” is published by Alchemy Tuition.