Google XSS Game – Solutions

Since I hadn't done the Google XSS game yet, I figured now was a good as any to work on my XSS.

Level 1

Level 1 presented me with a basic search box, that appeared to take the query string and put it directly on the page.

Google XSS - Level 1

With this knowledge in hand, I figured a simple script payload would give me an alert on the results page.

Google XSS - Level 1 XSS

I was correct in my assumption, and got my XSS alert to easily clear Level 1.

Google XSS - Level 1 Solved

Level 2

Level 2 consisted of a "Comments" section on a website, that appeared to support at least some HTML based on the madness link.

Google XSS - Level 2

My initial plan was an empty image tag that would pop-up an alert on mouseover.

Google XSS - Level 2 XSS

This indeed worked, and gave me my alert to move on to Level 3.

Google XSS - Level 2 Solved

That said, after a bit of research, I realized that I wanted a payload that would always execute, regardless of whether or not a user would mouse over it. For this I decided on a bad image location combined with an onerror alert.

Google XSS - Level 2 Onerror

This worked even better, and my payload executed every time I loaded the page!

Google XSS - Level 2 Solved Again

Level 3

Moving on to Level 3, I found an image gallery that would dynamically load the selected image, instead of hard-coded image tags.

Google XSS - Level 3

I figured the URL would be my injection point into the chooseTab function, so I decided to test that theory out.

Google XSS - Level 3 Test

Knowing that I was able to inject code into the end of that image link via the URL, I slightly modified my payload from Level 3, and properly escaped the original image tag. This worked, and gave me the XSS alert I needed to clear Level 3.

Google XSS - Level 3 Solved

Level 4

Level 4 consisted of a timer that took its duration from a text box on the page. This, in turn, would call a startTimer function with that number of seconds.

Google XSS - Level 4

After looking at the image for the loading.gif again, I realized that I could enter in my number of seconds, escape from the onload, and add my JavaScript alert at the end. Once I got the proper escape sequence down, this worked and I was able to beat Level 4.

NOTE: the semi-colon in the injection needs to be URL encoded (%3B) as it is a reserved character under the URL RFC.

Level 5

When I got to Level 5, there was a simple e-mail registration form, that I thought I would be able to inject my payload into the e-mail text box.

Google XSS - Level 5

Unfortunately, once I clicked "Next", I was just taken to a confirmation page that redirected me back to where I was.

Google XSS - Level 5 Test

Landing back at the original sign-up page, I noticed that the next parameter in the query string was being used for the redirect. I changed the "confirm" value to "test", to see if this would take me to a different/404 page.

Google XSS - Level 5 Test 2

This indeed redirected me to /frame/test, so I knew I had my injection point correct.

Google XSS - Level 5 Test 3

With all of this information in hand, I decided to try a basic javascript:alert as my redirect page, to see where the application would take me.

Google XSS - Level 5 XSS

This worked, and I was able to continue to Level 6.

Google XSS - Level 5 Solved

Level 6

With Level 5 completed, it was time to move on to the next (and final) level. Level 6 looked like it would load a local gadget.js file, and then execute it.

My first attempt was to load a very basic alert (alert('xss');) from a Pastebin that I created for this purpose. Unfortunately, there was some input filtering that prevented my remote payload from being executed.

After taking a look at the source again, it seemed like the script was just rejecting anything containing "http".

Google XSS - Level 6 Filter

Having the filter in hand, I decided to try hTTp as opposed to http to see if my script would still be loaded by the page.

Google XSS - Level 6 XSS

This worked, and I was able to fully complete the Google XSS Challenge!

Google XSS - Level 6 Solved

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.