Google XSS

In this guide we are going to go through Google XSS Game and discover common XSS payloads and techniques.

Useful links for XSS:
Google Game:
Filter evasion:
Guide Collection:

[X] Level 1: Hello, world of XSS

The first challenge only contains a ‘search bar’, so we can try to execute a simple <script></script> right away. The script added as the user input is understood by the browser as part of the page code and therefore being executed.
The most basic XSS script is <script>alert(1)</script>
Success! Script worked and made webpage display ‘1’ in an alert message.


[X] Level 2: Persistence is key

The second level is a bit tricky. The basic script would not work here so we need to find an another way around. Filter Evasion Cheatsheet helps us in this case. We can ’embed’ an image with empty source variable which would cause an error. Exactly this error can call an alert script by using onerror.

<IMG SRC=/ onerror="alert(1)"></img>

[X]  Level 3: That sinking feeling…

This challenge does not contain any input prompt and therefore should be exploited by modifying a link. Before that we need to analyze the code and create an XSS payload. Press the ‘Target code (toggle)” button to reveal the code.

From this code extract we can see that the JS script calls a chooseTab function which has attributes 1,2,3 (for each tab). What we can do here is create an error and by using onerror function call an alert.

' onerror='alert(1);//

By adding above text to the link we choose a tab as 1′ which is not recognized by the system. Onerror function is called therefore creating desired output.

[X] Level 4: Context matters

Level 4 is pretty similar to the 3d one. Same as there, we need to create an error in the script and display output using onerror. This input will do a job for us:


# Comment: Any number can be used instead of 5

[X] Level 5: Breaking protocol

In this case we need to take advantage of the sign up page. You should see a input form after hitting “Sign up” button. Inputting script does not work here and so we need to find a way around.

From the link above we can see that the webapp calls confirm.html after signing up.

As you can see from the code, confirm.html relocates you to {{ next }} after hitting the next button. We can take advantage of that and replace the next with our custom JS code therefore forcing the webapp to execute it instead of redirecting to another page. Paste the below link into the search bar and hit “Next>>” button.

[X] Level 6: Follow the Rabbit

As might be guessed, the last Level is the most interesting one. It has many different approaches but the easiest one appears to be ‘hosting’ the JS script on pastebin. <– here’s an example.

The code makes it obvious that gadget.js is a link and the webapp is filtering all http:// links to prevent hosting attack. What we can do is use htTp:// instead of http://. The filter will recognize it as a different input and pass it.

[X] Concluding

Congratulations! We have completed the game.
It is important to treat this game as a beginner level introduction which gives you an approach to most common XSS attacks.