According to OWASP, XSS (Cross-Site Scripting) is one of the most prevalent forms of attack. If you’re not familiar with the term, XSS put simply is when code that shouldn’t be there is executed on a webpage. I decided to do some practice with the technique (legally of course!) and stumbled upon this game:
First thing we can try is typing something like <b>Testing…</b> in the search bar and hitting search, this should confirm that the form is accepting HTML as your search will be returned in bold.
Hit search and our script is running!
Easy! Obviously XSS isn’t just for generating alerts, it can be used for a lot of really nasty stuff, whether it’s downloading software to your device or hijacking your session, the only real limit is the attackers own skill and imagination, in the next few levels we’ll see a few things that you should be keeping a watch out for whether you’re a user or a developer.