This is our final level, we’re presented with a page that runs “gadgets”.
Let’s take a look at the code to see if there’s anything interesting in there that might help us to exploit this page.
So there’s 3 things we’re looking at here, first of all “http” is filtered, this is obviously a very weak filter and there are literally millions of ways around this.
The second thing we’re looking at is how the gadgets are loaded, it looks here like they’re loaded from a URL. If you don’t have a JavaScript file that you can access you can use google.com/jsapi?callback=alert
The third one is explained very clearly in the comment, the gadget that we will load from the URL is defined after #.
This is how I completed this level.
As you can see I bypassed the filter by using capitals, in fact you could probably get away with not even including http or https. After the # I added the URL where my gadget is located and voila!
Now that we’ve completed this short series on XSS it’s well worth reading this google document about XSS, particularly the section about prevention and testing.
Please use your new found powers for good, not evil!
Dan Rigby PenTesting 