In the previous post we talked about how to resolve the exercises 1, 2 and 3 of the XSS-game proposed by Google. Now, we are going to resolve the latest ones.
Exercise 4
This exercise is similar to the previous one (Exercise 3). The main difference is that now, we have an input.
What happens is that our string has been included into the "img" tag...
So, if we use: 3');alert('Behindthefirewalls the result would be...
And the alert appears...
Exercise 5
I don't know what the reason for looking at "next=confirm" was at first because logic would dictate that the first attempt would be to try to exploit a XSS vulnerability in the input field...
But the first thing that I did was to replace "confirm" by "http://www.behindthefirewalls", reload the page, type my mail and click on "Next" and the result was that I was redirected to my blog...
We have discovered another security issue but what we want to do is locate a XSS vulnerability.
I was trying different options with no success so I decided to read the hints offered by Google. "If you want to make clicking a link execute Javascript (without using
the
onclick handler), how can you do it?"
So I tried to use:
next=javascript:alert("behindthefirewalls")
And the alert appeared.
Exercise 6
The fourth hit says: "If you can't easily host your own evil JS file, see if google.com/jsapi?callback=foo will help you here."
If we change "foo" for "alert" www.google.com/jsapi?callback=alert will have included in its code:
frame#//www.google.com/jsapi?callback=alert
I spent some time trying to solve this exercise in a different way. I tried a lot of possibilities to exploit a XSS vulnerability...
... until I remembered a post I read some months ago...
#data:text/javascript,alert('behindthefirewalls')
Exercise 4 doesn't work like that in my opera. The hints also suggest a different solution. Have they changed Exercise 4?
ReplyDeleteIt works properly in Firefox. I didn't check Opera, sorry...
Deletebtw, it does work, if you replace ; with %3B
ReplyDelete