DEV Community

Cover image for Google XSS challenge: Level 5 aka Breaking protocol (detailed walkthrough)
Souvik Kar Mahapatra
Souvik Kar Mahapatra

Posted on • Edited on • Originally published at souvikinator.netlify.app

Google XSS challenge: Level 5 aka Breaking protocol (detailed walkthrough)

Prerequisite

Before getting started one should be familiar with XSS or at least have an idea about it. Here is a good article which you may give a read to understand what is XSS. Read!

Also, I assume that readers are at least familiar with JavaScript. If not then I'll suggest to spend some time with JS and get comfortable with the basics. You can refer to javascript.info and MDN which are extremely helpful.

💡 Also in this whole series we'll not even roll our eyes on Hints and Toggle Code as in real-world bug hunting no one will give you hints or non-obfuscator source code so you have to figure out things yourself.

Mission Description

Cross-site scripting isn't just about correctly escaping data. Sometimes, attackers can do bad things even without injecting new elements into the DOM.

Mission Objective

Inject a script to pop up an alert() in the context of the application.

Breaking In

This one is interesting and easy as well. One thing you'll notice here is as you click on signup the URL changes to level5/frame/signup?next=confirm but what is this next=confirm. On clicking next you'll see the URL changes to level5/frame/confirm which tells us that next= is where we'll be redirected.

While having a look at the network tab we click on signup, we can see the following in the response tab:

xss-level-5-network-dev-tool.png

so signup?next=confirm request is being made with query next=confirm and we can see in the response tab that the href is set to the query parameter i.e confirm. Just to make sure this is what is happening you can try signup?next=hello and you'll see href=hello.

Now that we found the entry point we need to think of a payload. This is where the level gets different from other levels. Hint: can you execute JavaScript from an <a> tag?

Payload: javascript:alert(/xss level 5/)

set next=javascript:alert("xss level 5") in the URL.

After Injecting Payload: <a href="javascript:alert(/xss level 5/)">Next >></a>

Click on the next link and Boom! an alert showed up and you cleared the level.

We are not done yet!! We have 1 more level of Google XSS challenges to complete so head over to the blog section and checkout walkthroughs.

🥳 So it's time to wrap up the post with a quote

"In learning, you will teach, and in teaching, you will learn" -Phil Collins

Top comments (0)