DISCLAIMER: The information in this site is for educational purpose only. The authors of this blog are not responsible for any kind of misuse of this information.

Friday, May 30, 2014

XSS Game 1/6

Hola ! Lets beat Google's xss-game. You can find it here:
http://xss-game.appspot.com/

To make it more challenging I'll demonstrate it as blind injection :)
OK, we have a popular search engine called '4|4'. Lets check if we can inject HTML at all.

Input : "<script></script>"
Output : "Sorry, no results were found for . Try again."

In the normal case it will be "Sorry, no results were found for . Try again.". This means the server sent the client our input as is and it was rendered as regular HTML code on the page.
Now lets inject the real thing:
<script>alert('Owned!')</script>

Owned ! Now lets see the reason - the server side code that generates this page: 
...
    query = self.request.get('query', '[empty]')
       
    # Our search engine broke, we found no results :-(
    message = "Sorry, no results were found for <b>" + query + "</b>."
    message += " <a href='?'>Try again</a>."

    # Display the results page
    self.render_string(page_header + message + page_footer)
...
We can see that our query is mixed with the regular HTML page content without any escaping ... any developer should avoid that.
Let's move on !
Labels:

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )