Welcome, recruit!
Cross-site
scripting (XSS) bugs are one of the most common and dangerous types
of vulnerabilities in Web applications. These nasty buggers can allow your
enemies to steal or modify user data in your apps and you must learn to
dispatch them, pronto!
At Google, we know very well how important these bugs are. In fact, Google is so
serious about finding and fixing XSS issues that
we are paying mercenaries up to $7,500 for dangerous XSS
bugs discovered in our most sensitive products.
In this training program, you will learn to find and exploit XSS bugs. You'll use
this knowledge to confuse and infuriate your adversaries by preventing such
bugs from happening in your applications.
There will be cake at the end of the test.
Let me at 'em!
What's this all about?
This security game consists of several levels resembling real-world applications
which are vulnerable to XSS - your task will be to find the problem and attack
the apps, similar to what an evil hacker might do.
XSS bugs are common because they have a nasty habit of popping up wherever a webapp
deals with untrusted input. Our motivation is to highlight common coding patterns
which lead to XSS to help you spot them in your code.
Who can play?
The game is designed primarily for developers working on Web
applications who do not specialize in security. If you're a connoisseur of
online hacking challenges you'll find the first few levels quite easy, but
you just might learn something useful along the way.
You'll need a modern browser which supports Javascript and cookies.
Is it possible to cheat at this game?
Yes, since this is a browser-based game, you will be able to cheat by
messing with the page internals in developer tools or editing HTTP traffic.
However, we're sure that you won't have to resort to that -- there are
hints and source to guide you. And as your teacher once told you:
you would only be cheating yourself ;-)
How will I know when I'm done?
There will be cake at the end of the test.