For this level there is nowhere for a user to provide input on the page. We’re going to have to inject our code into the URL.
To do this we need to understand how the URL is built depending on which image is selected. There is a weakness in the script shown below.
The way I’ve interpreted this code:
The URL is based upon which image is selected from the JavaScript variable num.
Does this mean that we can simply replace num with our own code in the URL?
Please don’t be fooled into thinking that this is the first code that I tried. Before I arrived at this conclusion I tried a few things along the lines of frame#’javascript:alert(‘NotNum’);’
My thinking being that we could directly replace num.
frame#1’javascript:alert(‘NotNum’);’
That we could add the script to num.
frame#4’javascript:alert(NotNum’);’
That if we defined a new image for num.
I noticed that no matter what was put there the image would error but the script would not be executed. So what happens if we give the URL a script to execute when there’s an error?
That’s what happens!
Dan Rigby PenTesting 