Google XSS game report

Security Assessment Report: Google XSS Game

Adeleke Ismail Ifeoluwa

~2 min read · May 10, 2026 (Updated: May 10, 2026) · Free: Yes

Auditor: Ifeoluwa

Level 1: Hello, World of XSS (Reflected)

Vulnerable Code:

Source: The 'query' URL parameter.
Sink: self.response.out.write(message) directly rendering the query.

Exploit Details:

Payload: <script>alert(1)</script>

Remediation:

Implement HTML Entity Encoding on the server-side to escape special characters like < and >.

Level 2: Persistence is Key (Stored)

Vulnerable Code:

Source: User-submitted messages stored in the database.
Sink: document.getElementById('post-container').innerHTML = html;

Exploit Details:

Payload: <img src='x' onerror='alert(1)'>

Remediation:

Use .textContent or .innerText instead of .innerHTML to prevent the browser from parsing strings as HTML.

Level 3: That Sinking Feeling (DOM-Based)

Vulnerable Code:

Source: window.location.hash (the string after #).
Sink: $('#tabContent').html(html) where html is built via string concatenation.

Exploit Details:

Payload: 1' onerror='alert(1)'

Remediation:

Validate input against an allow-list or use parseInt() to ensure only numbers are processed.

Level 4: Context Matters (Reflected/JS Context)

Vulnerable Code:

Source: The 'timer' URL parameter.
Sink: Inline HTML event handler: onload='startTimer("{{ timer }}");'.

Exploit Details:

Payload: 3'); alert(1); //

Remediation:

Ensure input is strictly type-cast to an integer on the server-side before rendering into a script context.

**Level 5: Breaking Protocol (DOM-Based)**

Vulnerable Code:

Source: The 'next' URL parameter.
Sink: The href attribute of an anchor tag: <a href='{{ next }}'>.

Exploit Details:

Payload: javascript:alert(1)

Remediation:

Validate URL schemes. Only allow 'http://' or 'https://' and reject 'javascript:' or 'data:' schemes.

Level 6: Follow the White Rabbit (DOM-Based)

Vulnerable Code:

Source: window.location.hash.substr(1).
Sink: scriptEl.src = url; where the script is appended to the document.

Exploit Details:

Payload: HTTPS://www.google.com/jsapi?callback=alert OR data:text/javascript,alert(1)

Remediation:

Use case-insensitive regex flags (/i) and implement a Content Security Policy (CSP) to restrict script sources.

Conclusion

This audit demonstrates that Cross-Site Scripting (XSS) occurs when an application processes untrusted data without appropriate contextual encoding. Whether the context is HTML, an attribute, or a JavaScript string, the remedy is consistent: treat all user input as data, never as executable code. Modern security practices recommend using automated encoding frameworks and strict Content Security Policies to provide

#bug-bounty #xss-vulnerability #cybersecurity

< Go to the original

Google XSS game report

Security Assessment Report: Google XSS Game

Reporting a Problem