Before getting started one should be familiar with XSS or at least have an idea about it. Here is a good article which you may give a read to understand what is XSS. Read!
💡 Also in this whole series we'll not even roll our eyes on Hints and Toggle Code as in real-world bug hunting no one will give you hints or non-obfuscator source code so you have to figure out things yourself.
Cross-site scripting isn't just about correctly escaping data. Sometimes, attackers can do bad things even without injecting new elements into the DOM.
Inject a script to pop up an alert() in the context of the application.
This one is interesting and easy as well. One thing you'll notice here is as you click on
signup the URL changes to
level5/frame/signup?next=confirm but what is this
next=confirm. On clicking
next you'll see the URL changes to
level5/frame/confirm which tells us that
next= is where we'll be redirected.
While having a look at the network tab we click on
signup, we can see the following in the response tab:
signup?next=confirm request is being made with query
next=confirm and we can see in the response tab that the
href is set to the query parameter i.e confirm. Just to make sure this is what is happening you can try
signup?next=hello and you'll see
After Injecting Payload:
Click on the next link and Boom! an alert showed up and you cleared the level.
We are not done yet!! We have 1 more level of Google XSS challenges to complete so head over to the blog section and checkout walkthroughs.
🥳 So it's time to wrap up the post with a quote
"In learning, you will teach, and in teaching, you will learn" -Phil Collins