In the previous story we solved level 1 to 10 of XSS Gym designed by Brutelogic , Today i want to share the lessons and tips that I've learned by solving level 11 to 20 of this challenge so do not miss the story, i thought it would be a great idea to share this info and payloads cause I'll talk about each context in each level so you and i as beginners in this field we can learn a lot of things :)
As we now this challenge is accessible via "https://x55.is/brutelogic/gym.php".
to go on each level, you have to use "?p00=your input<payload>" parameter ; for example in order to use solve 1st level you should use https://x55.is/brutelogic/gym.php?p01=YOUR PAYLOAD
Before starting, I 100% recommend that use the page-source for each level while solving in order to learn and understand more efficiently! it's easy you just have to right click and choose view page source or use ctrl + U shortcut, I also recommend that test your payload in the page-source environment first before testing it in the Application, The point of this action is to see how your payloads are placed and being behaved in the web-app !
Here is the lab environment:
So let's jump into the game and start exploiting these labs:
Level 11— link: https://x55.is/brutelogic/gym.php?p11=<payload here>
I could solve that challenge using two payloads at the first , But there are more than two ways to solve it because the whole point of this level was just to escape the variable and js context by closing & closing the tag using </script>. first i closed the script tag using </script> then i opened a new script tag and i placed my alert(1) in it then boom it just worked on the spot ;), it was also possible to use <svg> or <img> tag to pop on an alert!
I used these payloads and they all worked(you can try different payloads):
1- </script><script>alert(1)</script> 2- '</script><script>alert(1)</script> 3- </script><svg/onload=alert(1)> 4- </script><svg onload=alert(1)> 5- </script><img%20src=x%20onmouseover=alert(1)>
Level 12 — link: https://x55.is/brutelogic/gym.php?p12=<payload here>
It was same as the 11th level, you just had to closed the <script> tag using </script> then inject your payloads there are a lots of ways to solve this challenge cause as i told you the point of this level was to learn how to break-out the JavaScript context. it will be solved just like previous level and it is the same! use any kind of payload in the previous challenge that could pop an payload up for you and you can see your XXS alert again :)
Payload: you can use your favorite simple payload here, no limits
Level 13— link: https://x55.is/brutelogic/gym.php?p13=<payload here>
In this case we can't escape using </script> or any tags because the app filters < character so simply we can't use it, In this case we have to play with that JavaScript variable using '-alert(1)-', When we inject this payload the JS interpreter consider and behave that as an expression(calculation) so during this calculation our alert(1) will be rendered and it will be popped up!
payload: '-alert(1)-'
context:
<script> var p13 = 'our input'; </script>The code while the payload is injected:
<script> var p13 = ''-alert(1)-'' </script>what really happens when we inject our payload? the operation will be like: '' = 0 minus | here alert(1) will be rendered(pops up and become undefined) | minus ''(these empty strings will be considered as Zero in the performing calculation) and etc. but the important part for us is that the alert(1) is being shown!
Level 14 — link: https://x55.is/brutelogic/gym.php?p14=<payload here>
It is the same as the previous level but with a little difference. The difference is that our input goes into a variable which uses double-quote in its structure. so we have to change our payload from '-alert(1)-' to "-alert(1)-" and the operation will pop the 1 up for us when it is being injected by our payload. All of the concepts and operations will be used here and it is the same.
payload: "-alert(1)-"
Level 15 — link: https://x55.is/brutelogic/gym.php?p15=<payload here>
In this level the web app uses a function to sanitize the user input and every time we inject a single-quote the application puts a back-slash \ behind our single quote it's like ' -> \' , so we have to use a tricky method to bypass it and achieve our XSS, we use \'-alert// so the context is like:
var p15 = '\\'-alert(1)//';1- \' will make a legit string like '\\' 2- the — starts a calculation and alert(1) should be evaluated to complete the expression so the js engine render it and it'll be poped up :] 3- these // will comment the rest of the line and cause a way to avoid syntax error.
payload: \'-alert(1)//
Level 16 — link: https://x55.is/brutelogic/gym.php?p16=<payload here>
It is the same as level 15 but we have to use a double-quotes in the payload because the context uses double-quotes The whole process will be followed like the previous Challenge, making a valid string -> start an expression -> alert(1) being evaluated -> commenting in order to avoid Syntax errors.
payload: \"-alert(1)//
Level 17— link: https://x55.is/brutelogic/gym.php?p17=<payload here>
In this level we should know that when a variable is defined inside <script> tags, the browser's HTML parser is still active while reading the page. if the js template literal contains </script>, the HTML parser thinks "Oh, script tag is closed now. Time to parse the rest as HTML." Note that the JS engine itself doesn't render HTML, but the HTML parser does when the script is being broken by HTML Tags A template literal in JavaScript is a string written with backticks (`) that can span multiple lines and embed variables using ${}. In this level we'll face a variable that uses literal template, so as we know we can use HTML tags, First we close it using a </script> then we append the arbitrary payload which mine is <img%20src=x%20onerror=alert(1)> then we will get our sweetheart XSS pop-up :)
payload: </script><img%20src=x%20onerror=alert(1)>
Level 18— link: https://x55.is/brutelogic/gym.php?p18=<payload here>
This level is also like 13th & 14th level but here we have backticks in the js context so our payload will be `-alert(1)-` and the Js interpreter will render this and we will get pop-up!
Note: In JavaScript '', "", `` all create empty strings and in the numeric context, an empty string is type-coerced to 0. so that:
+'' // 0
+"" // 0
+`` // 0 are all same.payload: `-alert(1)-`
Level 19— link: https://x55.is/brutelogic/gym.php?p19=<payload here>
This level is similar to 15th & 16th level but here the JS context uses backticks and it filters(sanitizing) the user input using back-slash \ character, we have to follow the experienced flow which is: making a valid string using \` -> turn the statement to an expression using — operator -> evaluation of alert(1) -> using // for commenting to avoid syntax errors.
payload: \`-alert(1)//
Level 20— link: https://x55.is/brutelogic/gym.php?p20=<payload here>
In this level the Web-App sanitizes the inputs which includes \ and ` by appending extra back-slashes to them, Here we couldn't pop an alert up via previous payloads so what should've be done here? we know there is function that cause this action , we have discussed that in 17th level that we can embed implant variables into literal templates using ${} so here we can ${alert(1)} to pop up an alert and gladly it's working :)
payload: ${alert(1)}
This was the Story and solutions i don't know if it was complete or sharing the concepts greatly but i hope you have enjoyed ️😊