According to OWASP, XSS (Cross-Site Scripting) is one of the most prevalent forms of attack. If you’re not familiar with the term, XSS put simply is when code that shouldn’t be there is executed on a webpage. I decided to do some practice with the technique (legally of course!) and stumbled upon this game:
http://www.xss-game.appspot.com/
The objective is simple, generate a JavaScript alert() function on the page.
First thing we can try is typing something like <b>Testing…</b> in the search bar and hitting search, this should confirm that the form is accepting HTML as your search will be returned in bold.
So now we can try something a little more sinister. Let’s try alert(”); This should tell the HTML that we want to run a script and the script that we want to run is JavaScripts alert();
Hit search and our script is running!
Easy! Obviously XSS isn’t just for generating alerts, it can be used for a lot of really nasty stuff, whether it’s downloading software to your device or hijacking your session, the only real limit is the attackers own skill and imagination, in the next few levels we’ll see a few things that you should be keeping a watch out for whether you’re a user or a developer.
Dan Rigby PenTesting 