WPTavern: Learn How to Find and Exploit XSS Vulnerabilities with Google’s XSS Game
In 2016, Acunetix, a UK-based security firm, found that 33% of websites and web apps are vulnerable to XSS. This number is down 5% from the company’s findings for the previous year, but it’s still one of the most common vulnerabilities. In fact, every WordPress security release for the past year has included patches for cross-site scripting (XSS) vulnerabilities, including 4.5.2, 4.5.3, 4.6.1, 4.7.1, 4.7.2, and many other previous releases.
Google has created a fun and educational XSS game that teaches new bug hunters how to find and exploit XSS vulnerabilities. Each challenge teaches students how to inject a script to pop up an alert() within the training application. The first few levels are fairly easy and it gets progressively more difficult.
It was designed for developers who work on web apps but do not specialize in security. Google’s goal with the game is to help developers get better at recognizing the vulnerabilities in their own code:
This security game consists of several levels resembling real-world applications which are vulnerable to XSS – your task will be to find the problem and attack the apps, similar to what an evil hacker might do.
XSS bugs are common because they have a nasty habit of popping up wherever a webapp deals with untrusted input. Our motivation is to highlight common coding patterns which lead to XSS to help you spot them in your code.
The intro to the game tempts new recruits to hone their skills with promises to pay mercenaries up to $7,500 for discovering XSS bugs in the Google’s most sensitive products. It gives a nice introduction to common attack vectors for XSS vulnerabilities and congratulates winners with a cake and a link to more in-depth XSS documentation from Google’s collection of application security resources.
The XSS game has been around for a few years and provides a fun way to start your XSS learning if you have a few minutes over the weekend. With the constant stream of security updates for WordPress core, plugins, and themes, it’s good to get a basic understanding of what many of these patches are for. After a little bit of study and practice, you may be able to find XSS vulnerabilities in applications and help make the internet more secure.