科技回声

20 条评论

Solutions: <a href="http://pastebin.com/hv0h73eC" rel="nofollow">http://pastebin.com/hv0h73eC</a><p>I'm posting because I find that whenever I can't solve some security puzzle, it usually means I didn't foresee an attack and I've been writing insecure code :( So hopefully people who get stumped can take a look at the solutions and determine if that's the case for them.<p>It'd be cool if someone wrote up explanations for each of these w/ links to relevant portions of Google's documentation.

评论 #13025214 未加载

评论 #13023226 未加载

评论 #13023411 未加载

评论 #13023997 未加载

评论 #13025652 未加载

eridius超过 8 年前

Why does a <script> tag not work in level 2? I can see it ending up in the DOM.<p>Edit: Ah hah, HTML 5 spec explicitly says <script> tags inserted via innerHTML do not execute (<a href="https://www.w3.org/TR/2008/WD-html5-20080610/dom.html#innerhtml0" rel="nofollow">https://www.w3.org/TR/2008/WD-html5-20080610/dom.html#innerh...</a>).

评论 #13025425 未加载

xssfoofoo超过 8 年前

Level 3 seems to no longer be exploitable. Firefox 45.5 here automatically %-encodes the characters into the src attribute.

评论 #13022766 未加载

评论 #13022638 未加载

评论 #13023977 未加载

评论 #13027343 未加载

评论 #13022702 未加载

jaimehrubiks超过 8 年前

I'd like to see the game solutions, I'm new on this and can't pass lv 3.

评论 #13022927 未加载

评论 #13023008 未加载

评论 #13022912 未加载

giuscri超过 8 年前

These challenges are very easy. Anyone who knows something harder? To my knowledge, it's not easy to find material to study/exploit to get better at XSS'ing.

评论 #13029151 未加载

评论 #13026456 未加载

onion2k超过 8 年前

I'm quite surprised that these exploits aren't blocked at the browser level by default with developers having to write code to make the exploits work if they need to.<p>For example, if browsers flatly refused to load code from an external URL unless the address was whitelisted in the page's HTTP response headers then you'd make level 6's exploit impossible without much of an impact on web development.<p>The CORS header Access-Control-Allow-Origin can be used to force a browser to work that way, but only if a site sets it. I'm suggesting we're at the point now where browsers should be secure by default, even if it breaks some old sites.

评论 #13023406 未加载

评论 #13023237 未加载

评论 #13023319 未加载

评论 #13023176 未加载

评论 #13023930 未加载

评论 #13023265 未加载

评论 #13023385 未加载

评论 #13023622 未加载

评论 #13024069 未加载

评论 #13023945 未加载

partizanos超过 8 年前

Did someone get why they prompt us to go to <a href="https://tools.ietf.org/html/draft-hoehrmann-javascript-scheme-00" rel="nofollow">https://tools.ietf.org/html/draft-hoehrmann-javascript-schem...</a> ? I didnt get it.<p>The mechanism next=javascript:alert('') with the column how is it called? Are there exape of using anything other than javascript before column? it was a very great tutorial:)

i336_超过 8 年前

Got to the first one.<p>Okay, URL injection, that's easy: <script>alert('hi');</script><p>Or not: that didn't work.<p>I had to remove the semicolon for it to notice my code. At that point I immediately closed the tab.

评论 #13026979 未加载

fgandiya超过 8 年前

Hey, I just used this a few weeks ago as I was doing this course on web app security by Troy Hunt[0]<p>I didn't get far with it because it turns out that some browsers prevent the exploit, like Firefox and Safari.<p>[0]<a href="https://www.pluralsight.com/courses/hack-yourself-first?gclid=CjwKEAiAmdXBBRD0hZCVkYHTl20SJACWsZj9cTLBFQsqJzN1Y1EwTHW_yGErNY-nkQLG8Q4mipLf8BoC7djw_wcB" rel="nofollow">https://www.pluralsight.com/courses/hack-yourself-first?gcli...</a>

Kenji超过 8 年前

<i>There will be cake at the end of the test.</i><p>The cake is a lie.

评论 #13023960 未加载

prezjordan超过 8 年前

I made it past level 2 but I am curious why the second hint is true. Can anyone provide some insights?

评论 #13022962 未加载

bl0bgate4超过 8 年前

this is similar to <a href="https://www.codebashing.com/sql_demo" rel="nofollow">https://www.codebashing.com/sql_demo</a>

samfisher83超过 8 年前

Some of these exploits won't work on firefox or I am not sure how to do it. For example I can't get firefox to execute code on images.

评论 #13024164 未加载

splitdisk超过 8 年前

I'll always love stuff like this, such a fun way to practice without the pressure of finding something to report on.

freecodyx超过 8 年前

I just call alert('dada') from the console, and it tells me congratulation the site is buggy as well

评论 #13023791 未加载

评论 #13027366 未加载

EJTH超过 8 年前

It was fun the few minutes it lasted. :)

Keloo超过 8 年前

on level 4 try: <a href="https://xss-game.appspot.com/level4/frame?timer=%99" rel="nofollow">https://xss-game.appspot.com/level4/frame?timer=%99</a> and you get: 500 internal server error LOL

elcapitan超过 8 年前

That was fun, but a bit too easy ;)

jamesmp98超过 8 年前

Well that was fun

jkulak超过 8 年前

I don't know, not being able to pass lvl1 with "<script>alert();" made me not want to continue...

评论 #13023639 未加载

20 条评论

throwaway729超过 8 年前

评论 #13025214 未加载

评论 #13023226 未加载

评论 #13023411 未加载

评论 #13023997 未加载

评论 #13025652 未加载

eridius超过 8 年前

评论 #13025425 未加载

xssfoofoo超过 8 年前

Level 3 seems to no longer be exploitable. Firefox 45.5 here automatically %-encodes the characters into the src attribute.

评论 #13022766 未加载

评论 #13022638 未加载

评论 #13023977 未加载

评论 #13027343 未加载

评论 #13022702 未加载

jaimehrubiks超过 8 年前

I'd like to see the game solutions, I'm new on this and can't pass lv 3.

评论 #13022927 未加载

评论 #13023008 未加载

评论 #13022912 未加载

giuscri超过 8 年前

These challenges are very easy. Anyone who knows something harder? To my knowledge, it's not easy to find material to study/exploit to get better at XSS'ing.

评论 #13029151 未加载

评论 #13026456 未加载

onion2k超过 8 年前

评论 #13023406 未加载

评论 #13023237 未加载

评论 #13023319 未加载

评论 #13023176 未加载

评论 #13023930 未加载

评论 #13023265 未加载

评论 #13023385 未加载

评论 #13023622 未加载

评论 #13024069 未加载

评论 #13023945 未加载

partizanos超过 8 年前

i336_超过 8 年前

评论 #13026979 未加载

fgandiya超过 8 年前

Kenji超过 8 年前

<i>There will be cake at the end of the test.</i><p>The cake is a lie.

评论 #13023960 未加载

prezjordan超过 8 年前

I made it past level 2 but I am curious why the second hint is true. Can anyone provide some insights?

评论 #13022962 未加载

bl0bgate4超过 8 年前

this is similar to <a href="https://www.codebashing.com/sql_demo" rel="nofollow">https://www.codebashing.com/sql_demo</a>

samfisher83超过 8 年前

Some of these exploits won't work on firefox or I am not sure how to do it. For example I can't get firefox to execute code on images.

评论 #13024164 未加载

splitdisk超过 8 年前

I'll always love stuff like this, such a fun way to practice without the pressure of finding something to report on.

freecodyx超过 8 年前

I just call alert('dada') from the console, and it tells me congratulation the site is buggy as well

评论 #13023791 未加载

评论 #13027366 未加载

EJTH超过 8 年前

It was fun the few minutes it lasted. :)

Keloo超过 8 年前

on level 4 try: <a href="https://xss-game.appspot.com/level4/frame?timer=%99" rel="nofollow">https://xss-game.appspot.com/level4/frame?timer=%99</a> and you get: 500 internal server error LOL

elcapitan超过 8 年前

That was fun, but a bit too easy ;)

jamesmp98超过 8 年前

Well that was fun

jkulak超过 8 年前

I don't know, not being able to pass lvl1 with "<script>alert();" made me not want to continue...

评论 #13023639 未加载

The XSS Game by Google

20 条评论

The XSS Game by Google

20 条评论