Solution Of XSS Game : Level 3 That sinking feeling...

Hi, Everyone.

I by now assume that you guys are done with Solution of Level 1 : Hello, World of XSS and Soluton Of XSS Game: Level 2 Persistence is key. These 2 missions were pretty easy to solve, the next mission of XSS game Level 3: That sinking feeling... is now going to be a little more tricky. But do not worry this post has a solution to  Level 3: That sinking feeling...

Description as per the Game :

As you've seen in the previous level, some common JS functions are execution sinks which means that they will cause the browser to execute any scripts that appear in their input. Sometimes this fact is hidden by higher-level APIs which use one of these functions under the hood.

The application on this level is using one such hidden sink.

Mission Objective of the Game :

As before, inject a script to pop up a JavaScript alert() in the app.

Since you can't enter your payload anywhere in the application, you will have to manually edit the address in the URL bar below. 

Solution To The Game :

As per the objective the payload has to be manually inserted in the URL bar. By looking at the source, we can see that the image is being loaded with this particular code of JS html += "<img src='/static/level3/cloud" + num + ".jpg' />"; and this is the vulnerable code which accepts the query executed from URL bar, any thing typed after https://xss-game.appspot.com/level3/frame# will be stored in variable num . So, to solve this level this is what we do, as you can see the single quote is used inside image tag, so to end the <img> tag we use single quote(') in the URL bar to end <img> tag and then our script to be executed. So, our full URL payload becomes https://xss-game.appspot.com/level3/frame#' onerror="alert(9)" and we shall get a alert box with 9 in it.

This level can be solved using several other methods and payload such as, https://xss-game.appspot.com/level3/frame#'><script>alert(9)</script> , but according to the level the above method is a correct one.