Bypassing Google XSS challenge
Souvik Kar Mahapatra
Posted on February 7, 2021
Prerequisite
Before getting started one should be familiar with XSS or at least have an idea about it. Here is a good article which you may give a read to understand what is XSS. Read!
Also I assume that readers are at least familiar with JavaScript. If not then I'll suggest to spend some time with JS and get comfortable with the basics. You can refer to javascript.info and MDN which are extremely helpful.
Breaking In
Well we already solved the Google XSS challenge and I wanted to share a pretty basic thing I did when I first tried this challenge. What if I say you can bypass all the levels without even solving it?
I know it's not good but hey! we already solved the game so it won't be counted as cheating. Its super easy but this post will help you understand the approach to understand working of an application and how to look for weakness in an application.
As start off with the challenge, in the intro page i.e https://xss-game.appspot.com you can see following:
Is it possible to cheat at this game?
Yes, since this is a browser-based game, you will be able to cheat by messing with the page internals in developer tools or editing HTTP traffic. However, we're sure that you won't have to resort to that -- there are hints and source to guide you. And as your teacher once told you: you would only be cheating yourself ;-)
All you have to do is understand how this games verifies your progress in the game.
You'll notice that URL of level 1 is xss-game.appspot.com/level1
and that of level 2 is xss-game.appspot.com/level2
. Cool if we do xss-game.appspot.com/level3
then it should lead us to level 3 but no! you get following message
Based on your browser cookies it seems like you haven't passed the previous level of the game. Please go back to the previous level and complete the challenge.
so seems like site is keeping track of the levels we cleared using cookies
and if you go to application > cookies
you'll notice the cookies are HttpOnly i.e these cookies can't be modified from client side. Need to find a way around.
NOTE: well if you add
/frame/
after URL or each level then the cookie message doesn't seem to appear. Ex-xss-game.appspot.com/level1/frame/
and so on, however I am not sure whether progress will be tracked or not.
In Level 1 open the dev tools and go to source > frame
and look for game-frame.js
.
well things over here are pretty clear what is happening but for the sake of explanation let's set break point at line 8 and set payload as <script>alert("test")</script>
in the input.
breaking down game-frame.js
line 6: if we execute an alert from iframe
then that alert is suppressed but the text content of the alert is passed as argument s
to a function at line 7.
line 8: Here parent
is window property which returns the parent window of the current window (iframe in this case). So on alert a success message is being sent to the outer window using parent.PostMessage
.
line 10: then out alert text content is being concatenated with some extra string and a timeout is set for 50 Ms.
also in the gif we can see the debugger takes us to game.js which listens for the message from iframe
and does some stuff which you can understand if you are familiar with JavaScript.
Summary: to clear the level we need to pop an alert from the iframe
and below is the code I came up with
function bypass_level(){
iframe=document.getElementsByClassName('game-frame')[0].contentWindow.document;
bypass=document.createElement('script');
bypass.textContent="alert(/level bypassed/)";
iframe.head.appendChild(bypass)
}
window.onload=function(){
bypass_level();
}
It first gets the
iframe
and it's insides.Then creates a
script
element and sets content of script toalert(/level bypassed/)
Appends the
script
element in thehead
of theiframe
content.The function will be called whenever the page reloads i.e whenever I move to the next level.
and here is the demo:
Just with 6 clicks we cleared the whole challenge.
Honestly we don't even need this much of code. If we change the scope of developer tool to the iframe from top and execute an alert right in the console then it'll work.
Jokes apart, I believe there are other ways to bypass levels as well. Go find them out and mention them in the comments. I suggest you to first solve all the levels by understanding the working of the application and then come to this post but at the end it's your choice.
Feel free to point out mistakes in the post or suggest improvements. Originally posted on souvikinator.netlify.app and will eventually migrate other blog posts here so stay tuned.
🥳 So it's time to wrap up the post with a quote
“If you cheat, you would only be cheating yourself” – literally every teacher in the world 🤣
Posted on February 7, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
February 10, 2021
February 10, 2021