This level demonstrates a common cause of cross-site scripting where user input is directly included in the page without proper escaping. Interact with the vulnerable application window below and find a way to make it execute JavaScript of your choosing. You can take actions inside the vulnerable window or directly edit its URL bar.
Inject a script to pop up a JavaScript `alert()` in the frame below. Once you show the alert you will be able to advance to the next level.
In each of the levels we are provided with the source code for the frame, so we can see how everything works under the hood.
class MainPage(webapp.RequestHandler):
def render_string(self, s):
self.response.out.write(s)
def get(self):
# Disable the reflected XSS filter for demonstration purposes
self.response.headers.add_header("X-XSS-Protection", "0")
if not self.request.get('query'):
# Show main search page
self.render_string(page_header + main_page_markup + page_footer)
else:
# The variable query contains exactly what you typed into the search box.
# The code then uses string concatenation to build the HTML. It assumes the user will only type normal text (like "puppies" or "pizza"), but it doesn't actually enforce that.
query = self.request.get('query', '[empty]')
# Our search engine broke, we found no results :-(
message = "Sorry, no results were found for " + query + "."
message += " Try again."
# Display the results page
self.render_string(page_header + message + page_footer)
return
application = webapp.WSGIApplication([ ('.*', MainPage), ], debug=False)
No AI used in the making of this post that I know of atleast 😀