xss challenge writeup

prompt.ml

This is a series of xss challenges by Filedescriptor. If you haven’t tried to solve the challenges, you should definitely try yourself before reading the writeups. For beginners, this is the best place to practice.

lab link- https://prompt.ml/

Rules

• Call prompt(1) to win!
• Run the payload without user interaction.
• The payload must render in at least one of these browsers mention here: Chrome (Latest version) / Firefox (Latest version).
• There are more then 1 payload to solve same challenge.

Level 0

Level 0 is a basic warm-up challenge that requires the user to simply inject active HTML to execute prompt (1).

1. When I analyze the code, I notice there is no input sanitization applied. So I can try to close the input tag ourselves and apply a basic <script> tag.
2. Then I use the below payload to solve the challenge and solve this successfully.

"><script>prompt(1)</script>

Level-1

1. In the code, we can see that our input is being sanitized with a simple regular expression, which removes all words of the format <..…> .
2. The simple regular expression can be bypassed by simply removing the trailing > character. Furthermore, to force the browser to render the attack vector, it is required a trailing space or a line break.

<svg onload=prompt(1)//

Level-2

1. In this challenge, I have noticed that user input is validated by disallows equal signs and open parenthesis, so need to think differently to bypass this validation without using equal signs and open parenthesis.
2. So, I have use encrypted format of disallow characters to bypass this challenge.

<svg><script>prompt&#40;1)</script>

Level-3

1. According to my analysis of the javascript code, user input is commented to avoid script execution.
2. The script needs to be executed by closing the comments, since HTML5 uses the — -!> tag to close comments.

3. To bypass this level I have use this payload given below-

--!><script>prompt(1)</script>

Level-4

Level-5

1. In this challenge, I see that user input is filtered by “>” and event handlers in order to prevent JavaScript code from being executed.
2. To bypassing this filter requires setting an image as the type, and as you noticed, onerror = also filters, so we insert enter between onerror & =.
3. So, I have used the below payload to execute JavaScript for this challenge.

"type=image src onerror
="prompt(1)

Level-6

1. In this level the regular expression in place tries forbid the use of the strings javascript, vbscript as well as data URIs to prevent us to executing any JavaScript.
2. When we use the input- http://example.com#{“Name”:”b0mk35h”} format, then the input is split into 2 segments. The first segment appends the action attribute of the form. The second segment contains JSON data that is located in the input tag name attribute and value attribute.
3. So, I have decided to use the below payload to solve this level.

javascript:prompt(1)#{"action":1}

****** more coming soon ******