Before getting started one should be familiar with XSS or at least have an idea about it. Here is a good article which you may give a read to understand what is XSS. Read!
💡 Also in this whole series we'll not even roll our eyes on Hints and Toggle Code as in real-world bug hunting no one will give you hints or non-obfuscated source code so you have to figure out things yourself.
This is very tricky to get right -- allowing user input to influence the URL when loading scripts or other potentially dangerous types of data such as XMLHttpRequest often leads to serious vulnerabilities.
Find a way to make the application request an external file that will cause it to execute an alert().
It's the showdown!
Starting with a similar approach we used in other levels, first, we'll understand what the application does. Notice in the URL
Having a look at the Network tab in-browser dev tool and we see gadget.js, there is nothing special about it but moving to the initiator tab tells us which part of the application initiated this request.
which leads us to the following
There are 3 parts. Line 48 calls
includeGadget and line 17 is where we get the meat of this function.
Notice something? Yep! line 21 uses a regular expression to prevent us from loading external URLs. If you are familiar with regular expressions then you can easily figure out this specific regular expression prevents us from loading only those URLs starting with
Also, line 18 creates a script element, line 28 it sets the source of the script element to the path to the JS file after
# in the URL and finally, line 40 appends the script in the head tag of the application.
I'll try to load an external URL like so
level6/frame#/static/gadget.js and run a debugger to show what happens at line 21.
in the image above you can see
url=https://google.com and at line 21 it matches with the regular expression which is why it enters the
if statement and prevents further execution of the script.
We found the weakness of the application and the Mission Objective already gave us a hint of what to do. We need to create an external JS file and host it somewhere and use that URL after
# in the original URL.
Since we cannot use
HTTP/HTTPS with the URL, so we need to understand how the URL behaves.
I couldn't find any specific service which hosts JS file over HTTPS, so I headed over to Glitch.com (online code playground + awesome features). Select Hello-webpage project and in that, I added
alert(/xss level-6 baby/) and saved it. Perks of using Glitch.com is that it even hosts your project over HTTPS.
save the post and to get the URL of the hosted project click on the share button on the top left corner and copy the live site URL. To access the JS file of your project just change the URL from
now time to load this script in the application but remember we can't use
HTTP/HTTPS so we omit that, our payload becomes:
This is what the URL will look like:
On omitting the protocol(HTTP/HTTPS) in the URL it will inherit the protocol from the current environment or the current page i.e HTTPS which is why you have to make sure that your JS file is hosted over HTTPS otherwise browser will refuse to load.
and Boom! we popped an alert!!
We are done with the Google XSS Challenge and we popped a lot of alerts!
🥳 So it's time to wrap up the post with a quote
"Do your work with your whole heart, and you will succeed – there’s so little competition." -Elbert Hubbard