I’m not gonna lie, this level gave me some trouble, I tried a lot of different stuff but I’m going to share the way that I managed to eventually move past it.
We have a timer that takes user input.
It’s definitely worth analysing the source code for this one, that’s where part of our answer is.
The circled part if the function that creates our timer. If we run the timer as it should be and check the source code for that we can see this:
Here we can see the variable startTimer set to (‘3’) maybe we can inject some code here to extend this statement.
The reason this works is whatever we put in the field will be surrounded by (”); we end up setting the startTimer variable to (‘3′; alert(‘RingRing‘);
Got it!
Dan Rigby PenTesting 