Since I hadn't done the Google XSS game yet, I figured now was a good as any to work on my XSS.
Level 1 presented me with a basic search box, that appeared to take the query string and put it directly on the page.
With this knowledge in hand, I figured a simple script payload would give me an alert on the results page.
I was correct in my assumption, and got my XSS alert to easily clear Level 1.
Level 2 consisted of a "Comments" section on a website, that appeared to support at least some HTML based on the madness link.
My initial plan was an empty image tag that would pop-up an alert on mouseover.
This indeed worked, and gave me my alert to move on to Level 3.
That said, after a bit of research, I realized that I wanted a payload that would always execute, regardless of whether or not a user would mouse over it. For this I decided on a bad image location combined with an onerror alert.
This worked even better, and my payload executed every time I loaded the page!
Moving on to Level 3, I found an image gallery that would dynamically load the selected image, instead of hard-coded image tags.
I figured the URL would be my injection point into the chooseTab function, so I decided to test that theory out.
Knowing that I was able to inject code into the end of that image link via the URL, I slightly modified my payload from Level 3, and properly escaped the original image tag. This worked, and gave me the XSS alert I needed to clear Level 3.
Level 4 consisted of a timer that took its duration from a text box on the page. This, in turn, would call a startTimer function with that number of seconds.
NOTE: the semi-colon in the injection needs to be URL encoded (%3B) as it is a reserved character under the URL RFC.
When I got to Level 5, there was a simple e-mail registration form, that I thought I would be able to inject my payload into the e-mail text box.
Unfortunately, once I clicked "Next", I was just taken to a confirmation page that redirected me back to where I was.
Landing back at the original sign-up page, I noticed that the next parameter in the query string was being used for the redirect. I changed the "confirm" value to "test", to see if this would take me to a different/404 page.
This indeed redirected me to /frame/test, so I knew I had my injection point correct.
This worked, and I was able to continue to Level 6.
With Level 5 completed, it was time to move on to the next (and final) level. Level 6 looked like it would load a local gadget.js file, and then execute it.
My first attempt was to load a very basic alert (alert('xss');) from a Pastebin that I created for this purpose. Unfortunately, there was some input filtering that prevented my remote payload from being executed.
After taking a look at the source again, it seemed like the script was just rejecting anything containing "http".
Having the filter in hand, I decided to try hTTp as opposed to http to see if my script would still be loaded by the page.
This worked, and I was able to fully complete the Google XSS Challenge!