Bypassing Google XSS challenge

Prerequisite

Before getting started one should be familiar with XSS or at least have an idea about it. Here is a good article which you may give a read to understand what is XSS. Read!

Also I assume that readers are at least familiar with JavaScript. If not then I'll suggest to spend some time with JS and get comfortable with the basics. You can refer to javascript.info and MDN which are extremely helpful.

Breaking In

Well we already solved the Google XSS challenge and I wanted to share a pretty basic thing I did when I first tried this challenge. What if I say you can bypass all the levels without even solving it?

I know it's not good but hey! we already solved the game so it won't be counted as cheating. Its super easy but this post will help you understand the approach to understand working of an application and how to look for weakness in an application.

As start off with the challenge, in the intro page i.e https://xss-game.appspot.com you can see following:

Is it possible to cheat at this game?
Yes, since this is a browser-based game, you will be able to cheat by messing with the page internals in developer tools or editing HTTP traffic. However, we're sure that you won't have to resort to that -- there are hints and source to guide you. And as your teacher once told you: you would only be cheating yourself ;-)

All you have to do is understand how this games verifies your progress in the game.

You'll notice that URL of level 1 is xss-game.appspot.com/level1 and that of level 2 is xss-game.appspot.com/level2. Cool if we do xss-game.appspot.com/level3 then it should lead us to level 3 but no! you get following message

Based on your browser cookies it seems like you haven't passed the previous level of the game. Please go back to the previous level and complete the challenge.

so seems like site is keeping track of the levels we cleared using cookies and if you go to application > cookies you'll notice the cookies are HttpOnly i.e these cookies can't be modified from client side. Need to find a way around.

NOTE: well if you add /frame/ after URL or each level then the cookie message doesn't seem to appear. Ex- xss-game.appspot.com/level1/frame/ and so on, however I am not sure whether progress will be tracked or not.

In Level 1 open the dev tools and go to source > frame and look for game-frame.js.

well things over here are pretty clear what is happening but for the sake of explanation let's set break point at line 8 and set payload as <script>alert("test")</script> in the input.

breaking down game-frame.js

line 6: if we execute an alert from iframe then that alert is suppressed but the text content of the alert is passed as argument s to a function at line 7.

line 8: Here parent is window property which returns the parent window of the current window (iframe in this case). So on alert a success message is being sent to the outer window using parent.PostMessage.

line 10: then out alert text content is being concatenated with some extra string and a timeout is set for 50 Ms.

also in the gif we can see the debugger takes us to game.js which listens for the message from iframe and does some stuff which you can understand if you are familiar with JavaScript.

Summary: to clear the level we need to pop an alert from the iframe

and below is the code I came up with

 function bypass_level(){
    iframe=document.getElementsByClassName('game-frame')[0].contentWindow.document; 
    bypass=document.createElement('script');
    bypass.textContent="alert(/level bypassed/)";
    iframe.head.appendChild(bypass) 
 }
 window.onload=function(){    
    bypass_level();
 }

1. It first gets the iframe and it's insides.

2. Then creates a script element and sets content of script to alert(/level bypassed/)

3. Appends the script element in the head of the iframe content.

4. The function will be called whenever the page reloads i.e whenever I move to the next level.

and here is the demo:

Just with 6 clicks we cleared the whole challenge.

Honestly we don't even need this much of code. If we change the scope of developer tool to the iframe from top and execute an alert right in the console then it'll work.

Jokes apart, I believe there are other ways to bypass levels as well. Go find them out and mention them in the comments. I suggest you to first solve all the levels by understanding the working of the application and then come to this post but at the end it's your choice.

📄 Google XSS challenge detailed walkthrough level 1-6

Feel free to point out mistakes in the post or suggest improvements. Originally posted on souvikinator.netlify.app and will eventually migrate other blog posts here so stay tuned.

🥳 So it's time to wrap up the post with a quote

“If you cheat, you would only be cheating yourself” – literally every teacher in the world 🤣