Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I completed the game, but I honestly don't know: why wouldn't inject a script tag directly in level 2 work?


The hint for level 3 reads:

  As before, using <script> ... as a payload won't work
  because the browser won't execute scripts added after the 
  page has loaded.
How do you solve level 3?


For me it actually worked to use a script tag, but I'm confused about why, as the hint says it shouldn't.

This is the URL I used:

    https://xss-game.appspot.com/level3/frame#'><script>alert('bla')</script>
But the hint is hinting at something more like this, I think:

    https://xss-game.appspot.com/level3/frame#' onerror="alert('bla')">
Can somebody explain why the first one worked? Are they wrong when they say that the browser won't execute scripts added after the page has loaded?


Interestingly, modern WebKit browsers include an "XSS auditor" that will refuse to run javascript sent in the request that loaded the page. It's pretty good (and open-source), so figuring out a way to have XSS without hitting the auditor is a big win for the attacker.


Might be because the script is injected during `onload`, which is arguably the very end of the page-loading process. But, yeah, the hint is clearly incorrect in the latest version of Chrome.


Why do we need the single quote after the # sign? I don't understand why and would like to know.


As "sbd" said, the "html +=" statement is using the "num" parameter as it is.

The real problem is the substring(1) function which passes the "num", instead of making sure the length is 1 it is allowing everything.


in the chooseTab function you have the following line: html += "<img src='/static/level3/cloud" + num + ".jpg' />";

the src opens with a single quote and looks for the 'num' var. So instead of num in the URL, you close the single quote and then close the image tag, and then run your script.


Similar to level 2 - just be careful about escaping out of the image src, and making sure the rest of the line is invalidated. Think about how you would do it if you were writing JS on your own...


try '>


Eugh, I'm blind. Thanks!


Because you can't have tags inside of textarea. All data inside of textarea is interpreted as text.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: