Google XSS challenge: Level 5 aka Breaking protocol (detailed walkthrough)



Before getting started one should be familiar with XSS or at least have an idea about it. Here is a good article which you may give a read to understand what is XSS. Read!

Also I assume that readers are at least familiar with JavaScript. If not then I’ll suggest to spend some time with JS and get comfortable with the basics. You can refer to and MDN which are extremely helpful.

💡 Also in this whole series we’ll not even roll our eyes on Hints and Toggle Code as in real world bug hunting not one will give you hints or non obfuscator source code so you have to figure out things yourself.

Mission Description

Cross-site scripting isn’t just about correctly escaping data. Sometimes, attackers can do bad things even without injecting new elements into the DOM.

Mission Objective

Inject a script to pop up an alert() in the context of the application.

Breaking In

This one is interesting and easy as well. One thing you’ll notice here is as you click on signup the URL changes to level5/frame/signup?next=confirm but what is this next=confirm. On clicking next you’ll see the URL changes to level5/frame/confirm which tells us that next= is where we’ll be redirected.

While having a look at network tab we click on signup, we can see following in response tab:


so signup?next=confirm request is being made with query next=confirm and we can see in response tab that the href is set to the query parameter i.e confirm. Just to make sure this is what is happening you can try signup?next=hello and you’ll see href=hello.

Now that we found entry point we need to think of a payload. This is where the level gets different from other levels. Hint: can you execute JavaScript from an <a> tag?

Payload: javascript:alert(/xss level 5/)

set next=javascript:alert("xss level 5") in the URL.

After Injecting Payload: <a href="javascript:alert(/xss level 5/)">Next >></a>

click on next link and Boom! an alert showed up and you cleared the level.

We are not done yet!! We have 1 more levels of Google XSS challenges to complete so head over to the blog section and checkout walkthroughs.

🥳 So it’s time to wrap up the post with a quote

“In learning you will teach, and in teaching you will learn” -Phil Collins

          Souvik Kar Mahapatra's DEV Community Profile

#google XSS challenge #walkthrough #wargame #CTF #cross site scripting