Prompt.ml XSS Challenge
prompt.ml is a series of challenges that are designed to pique your interest and increase your knowledge on XSS attacks. You can check out the challenge here: https://prompt.ml/
Level 0
When we analyze the code, we notice there is no input sanitization applied. So we can try to close the input tag ourselves and apply a basic <script> tag.
Solution:
"><script>prompt(1)</script>Level 1
This is a fairly basic XSS payload. Here, we can see our input is being sanitized in the code, which removes all words of the format<...> .
SVG is an XML-based format and has its own DOM (Document Object Model). So we could use JavaScript here to access DOM and <script> tags are allowed inside the SVG file. Another point to notice here is Onload. Onload is an event handler, which executes the script when the object is loaded.
So we can bypass this by neglecting the ‘>’ in the syntax, which executes the script.
Solution:
<svg onload=prompt(1)Level 2
We can see a slight increase in the difficulty. Here they are filtering out all equal signs and open parentheses. To ensure every character is displayed perfectly in a webpage, each character has been given a special HTML character code, which can be referred to here: Hypertext Markup Language — 2.0 — The HTML Coded Character Set (w3.org)
Now, we can try to escape the open parenthesis by using its encoded form.
Solution:
<script>prompt(1)</script>( is the hex form of (.
Level 3
Here, our input is stored between a comment. But we can’t escape the comments, as our input is being tested using Regex for the pattern ->, which is then replaced by a ‘_’.
To bypass this, we need to dig deep into the HTML specifications of a comment. I would recommend you to read the following regarding the use of — !>.
Solution:
--!><script>prompt(1)</script>Level 4
Level 4 is out of bounds in terms of difficulty .That’s for another blog. :)
Level 5
Here, the input is filtered out to remove all the event handlers and the keyword focus, along with the >character.
So we can try to bypass the on filtering by adding the = symbol on a new line. But to ensure the event handler is used, we try to change the input type to text and then we provide an invalid source to trigger an onerror event handler. When multiple values for the same attribute are defined in an HTML Tag, only the first definition is valid.
Solution:
" type=image src=x onerror
="prompt(1)There are still a few levels left to solve, but I think that’s for another day.
Goodbye :)
