Wednesday, June 25, 2014

Solution Of XSS Game : Level 4 Context matters

Hi, Everyone.

Level 3 was  little bit tricky, but this level is tricky and you need to have some knowledge on Javascript as well. Let's get to the solution quickly.

Description As Per The Game :
Every bit of user-supplied data must be correctly escaped for the context of the page in which it will appear. This level shows why.
Mission Objective Of The Game :
Inject a script to pop up a JavaScript alert() in the application.
Solution To The Game :
This challenge has a input box which accepts time for the timer. At first let's enter a random number to check which functions are called and what exactly is going through the app. I first enter a number "3" on the input box and then clicking on create timer takes me to the another page where after 3-seconds time interval a pop-up box show up which alerts a time-up message. After having a look at the source of the page i notice a JS function called startTimer which is responsible and handles all the input. And then there is another interesting code which we can use to inject our code. <img onload="startTimer('300');" src="/static/loading.gif"></img>

We will be injecting our code on this onload function. But first let's see if we can escape from the '100' context from the onload function by inserting a single quote ('), it gives us an error in JS console, which means we have escaped for the context and attacking is possible. Now we inject our code using OR(||) on onload function. So, our injection parameters are 300') || alert ('9 and our full url is https://xss-game.appspot.com/level4/frame?timer=300') || alert ('9

Posted by at 2 comments:

Friday, June 20, 2014

Solution Of XSS Game : Level 3 That sinking feeling...

Hi, Everyone.

I by now assume that you guys are done with Solution of Level 1 : Hello, World of XSS and Soluton Of XSS Game: Level 2 Persistence is key. These 2 missions were pretty easy to solve, the next mission of XSS game Level 3: That sinking feeling... is now going to be a little more tricky. But do not worry this post has a solution to  Level 3: That sinking feeling...

Description as per the Game :
As you've seen in the previous level, some common JS functions are execution sinks which means that they will cause the browser to execute any scripts that appear in their input. Sometimes this fact is hidden by higher-level APIs which use one of these functions under the hood.

The application on this level is using one such hidden sink.
Mission Objective of the Game :
As before, inject a script to pop up a JavaScript alert() in the app.

Since you can't enter your payload anywhere in the application, you will have to manually edit the address in the URL bar below. 
Solution To The Game :
As per the objective the payload has to be manually inserted in the URL bar. By looking at the source, we can see that the image is being loaded with this particular code of JS html += "<img src='/static/level3/cloud" + num + ".jpg' />"; and this is the vulnerable code which accepts the query executed from URL bar, any thing typed after https://xss-game.appspot.com/level3/frame# will be stored in variable num . So, to solve this level this is what we do, as you can see the single quote is used inside image tag, so to end the <img> tag we use single quote(') in the URL bar to end <img> tag and then our script to be executed. So, our full URL payload becomes https://xss-game.appspot.com/level3/frame#' onerror="alert(9)" and we shall get a alert box with 9 in it.

This level can be solved using several other methods and payload such as, https://xss-game.appspot.com/level3/frame#'><script>alert(9)</script> , but according to the level the above method is a correct one.






Posted by at 3 comments:

Soluton Of XSS Game: Level 2 Persistence is key

Hi, Everyone.

So, you are now done with Solution of Level 1 : Hello, World of XSS . And the next level you will have to deal with is Level 2 : Persistence is Key. This post has a solution to Google's XSS game Level 2 : Persistence is Key.

Description as per the Game :
Web applications often keep user data in server-side and, increasingly, client-side databases and later display it to users. No matter where such user-controlled data comes from, it should be handled carefully.

This level shows how easily XSS bugs can be introduced in complex apps.
Mission Objective of the Game :
Inject a script to pop up an alert() in the context of the application.

Note: the application saves your posts so if you sneak in code to execute the alert, this level will be solved every time you reload it.
Solution To The Game :
There are several many ways to solve this xss problem. As there is a status box to share a status which doesn't filter tags like <a></a> , and there is an easy way to exploit xss using <a onhover: > option. So, i go to the input box enter these query <a onmouseover="alert(9);" href="#">Place mouse here</a> . No hover our mouse on the text "Place mouse here" and should get a alert box with 9 in it.

This level can be solved using other several method too, such as using onerror option of <img> tag. The query <img src=x onerror=alert(9)>  will also give a alert box with 9 in it.






Posted by at No comments:

Solution Of XSS Game: Level 1 Hello, world of XSS

Hi, Everyone.

It seems that you guys are now working on the XSS game challenge by Google. This post has a solution to level 1 Hello, world of XS.

Description as per the Game :
This level demonstrates a common cause of cross-site scripting where user input is directly included in the page without proper escaping.

Interact with the vulnerable application window below and find a way to make it execute JavaScript of your choosing. You can take actions inside the vulnerable window or directly edit its URL bar.
Mission Objective of the Game :
Inject a script to pop up a JavaScript alert() in the frame below.

Once you show the alert you will be able to advance to the next level. 
Solution To the Game :
The solution is pretty easy, there are no any kind of filtering done to texts we input. So, a simple query <script>alert(9)</script> will pop-up a alert with 9 and the level is done.
Posted by at No comments:

Let The Game Begin



Hi, Everyone.

Google recently released XSS game, a game developed with intention to aware developers about Cross-Site Scripting vulnerability. This vulnerability allows attacker to steal and modify user data. Developed by Google engineer Ilya Grigorik, the game is all about finding and exploiting XSS bug.

 http://xss-game-solved.blogspot.com/ is a blog where you will find solutions and answers to this XSS game. Try not to look for the solutions if you can.

Thankyou.
Posted by at No comments:
Subscribe to: Posts (Atom)