Google XSS challenge: Level 6 aka Follow the 🐇 (detailed walkthrough)



Before getting started one should be familiar with XSS or at least have an idea about it. Here is a good article which you may give a read to understand what is XSS. Read!

Also I assume that readers are at least familiar with JavaScript. If not then I’ll suggest to spend some time with JS and get comfortable with the basics. You can refer to and MDN which are extremely helpful.

💡 Also in this whole series we’ll not even roll our eyes on Hints and Toggle Code as in real world bug hunting not one will give you hints or source code so you have to figure out things yourself.

Mission Description

Complex web applications sometimes have the capability to dynamically load JavaScript libraries based on the value of their URL parameters or part of location.hash.

This is very tricky to get right – allowing user input to influence the URL when loading scripts or other potentially dangerous types of data such as XMLHttpRequest often leads to serious vulnerabilities.

Mission Objective

Find a way to make the application request an external file which will cause it to execute an alert().

Breaking In

It’s the final showdown!

get ready

Starting off with similar approach we used in other levels, first we’ll understand what the application does. Notice in the URL level6/frame#/static/gadget.js after # there is a path to a file. Look’s like it loads a JavaScript file gadget.js in /static/.

Having a look at the Network tab in browser dev tool and we see gadget.js, there is nothing special about it but moving to the initiator tab tells us which part of the application initiated this request.


which leads us to the following


There are 3 parts. Line 48 calls includeGadget and line 17 is where we get the meat of this function. Notice something? Yep! line 21 uses a regular expression to prevent us from loading external URLs. If you are familiar with regular expression then you can easily figure out this specific regular expression prevents us from loading only those URLs starting with http/https.

Also line 18 creates a script element, line 28 it sets the source of the script element to the path to the JS file after # in the URL and finally line 40 appends the script in the head tag of the application.

I’ll try to load external URL like so level6/frame#/static/gadget.js and run a debugger to show what happens at line 21.


in the image above you can see url= and at line 21 it matches with the regular expression which is why it enters the if statement and prevents further execution of the script.

We found the weakness of the application and as the Mission Objective already gave us hint what to do. We need to create an external JS file and host it somewhere and use that URL after # in the original URL.

Since we cannot use http/https with the URL, so we need to understand how the URL behaves. Check out my post on Analyzing how browser interprets (weird) URLs.

I couldn’t find any specific service which hosts JS file over HTTPS, so I headed over to (online code playground + awesome features). Select Hello-webpage project and in that I added alert(/xss level-6 baby/) and saved. Perks of using is that it even hosts your project over HTTPS.


save the post and to get the URL of the hosted project click on the share button on the top left corner and copy the live site URL. To access the JS file of your project just change the URL from to

now time to load this script in the application but remember we can’t use http/https so we omit that, our payload becomes:

Payload: //

This is what the URL will look like: level6/frame#//

In case you are lazy and don’t want to read above mentioned post then here is an overview of what is happening.

On omitting the protocol(http/https) in the URL it will inherit the protocol from the current environment or the current page i.e HTTPS which is why make sure that your JS file is hosted over HTTPS otherwise browser will refuse to load.

and Boom! we pooped an alert!!

We are done with the Google XSS Challenge and we popped a lot of alerts!


🥳 So it’s time to wrap up the post with a quote

“Do your work with your whole heart, and you will succeed – there’s so little competition.” -Elbert Hubbard

          Souvik Kar Mahapatra's DEV Community Profile

#google XSS challenge #walkthrough #wargame #CTF #cross site scripting