Google XSS Game – Solutions

Since I hadn't done the Google XSS game yet, I figured now was a good as any to work on my XSS.

Level 1

Level 1 presented me with a basic search box, that appeared to take the query string and put it directly on the page.

Google XSS - Level 1

With this knowledge in hand, I figured a simple script payload would give me an alert on the results page.

Google XSS - Level 1 XSS

I was correct in my assumption, and got my XSS alert to easily clear Level 1.

Google XSS - Level 1 Solved

Level 2

Level 2 consisted of a "Comments" section on a website, that appeared to support at least some HTML based on the madness link.

Google XSS - Level 2

My initial plan was an empty image tag that would pop-up an alert on mouseover.

Google XSS - Level 2 XSS

This indeed worked, and gave me my alert to move on to Level 3.

Google XSS - Level 2 Solved

That said, after a bit of research, I realized that I wanted a payload that would always execute, regardless of whether or not a user would mouse over it. For this I decided on a bad image location combined with an onerror alert.

Google XSS - Level 2 Onerror

This worked even better, and my payload executed every time I loaded the page!

Google XSS - Level 2 Solved Again

Level 3

Moving on to Level 3, I found an image gallery that would dynamically load the selected image, instead of hard-coded image tags.

Google XSS - Level 3

I figured the URL would be my injection point into the chooseTab function, so I decided to test that theory out.

Google XSS - Level 3 Test

Knowing that I was able to inject code into the end of that image link via the URL, I slightly modified my payload from Level 3, and properly escaped the original image tag. This worked, and gave me the XSS alert I needed to clear Level 3.

Google XSS - Level 3 Solved

Level 4

Level 4 consisted of a timer that took its duration from a text box on the page. This, in turn, would call a startTimer function with that number of seconds.

Google XSS - Level 4

After looking at the image for the loading.gif again, I realized that I could enter in my number of seconds, escape from the onload, and add my JavaScript alert at the end. Once I got the proper escape sequence down, this worked and I was able to beat Level 4.

NOTE: the semi-colon in the injection needs to be URL encoded (%3B) as it is a reserved character under the URL RFC.

Level 5

When I got to Level 5, there was a simple e-mail registration form, that I thought I would be able to inject my payload into the e-mail text box.

Google XSS - Level 5

Unfortunately, once I clicked "Next", I was just taken to a confirmation page that redirected me back to where I was.

Google XSS - Level 5 Test

Landing back at the original sign-up page, I noticed that the next parameter in the query string was being used for the redirect. I changed the "confirm" value to "test", to see if this would take me to a different/404 page.

Google XSS - Level 5 Test 2

This indeed redirected me to /frame/test, so I knew I had my injection point correct.

Google XSS - Level 5 Test 3

With all of this information in hand, I decided to try a basic javascript:alert as my redirect page, to see where the application would take me.

Google XSS - Level 5 XSS

This worked, and I was able to continue to Level 6.

Google XSS - Level 5 Solved

Level 6

With Level 5 completed, it was time to move on to the next (and final) level. Level 6 looked like it would load a local gadget.js file, and then execute it.

My first attempt was to load a very basic alert (alert('xss');) from a Pastebin that I created for this purpose. Unfortunately, there was some input filtering that prevented my remote payload from being executed.

After taking a look at the source again, it seemed like the script was just rejecting anything containing "http".

Google XSS - Level 6 Filter

Having the filter in hand, I decided to try hTTp as opposed to http to see if my script would still be loaded by the page.

Google XSS - Level 6 XSS

This worked, and I was able to fully complete the Google XSS Challenge!

Google XSS - Level 6 Solved

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin: GD image support not detected in PHP!

Contact your web host and ask them to enable GD image support for PHP.

ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

Contact your web host and ask them to enable imagepng for PHP.

This site uses Akismet to reduce spam. Learn how your comment data is processed.