If you didn't know already, Google takes its application security seriously, especially when it comes to Cross-Site Scripting. They already have a Vulnerability Rewards Program and XSS Learning Documentation posted on their application security site. A few weeks ago, I saw some chatter on Twitter about a new approach for teaching folks about Cross-Site Scripting: The XSS Game! Wait a second, teach people about XSS by playing a game? It sounds like an app I would download on my tablet for my daughter to play with. Brilliant! Where do I sign up?
The Welcome screen contains some background information about XSS, Google's vulnerability rewards program, and a link that takes you into the 1st of 6 missions. The goal of each mission is to get a JavaScript alert box to popup in the embedded browser.
Each level has a few hints, and a link to view the Python, HTML, and JavaScript source code running in the embedded browser. For those that do web development or code review regularly, this is a perfect way to quickly spot the vulnerability on each level. Sounds easy enough, right?
As the game progresses, you will find that reflected, persisted, and DOM XSS attacks are all covered. The various levels also require writing different types of payloads to exploit XSS in HTML, JavaScript, HTML Attribute, and URL contexts. Other vulnerabilities such as remote JavaScript file inclusion and weak data validation also come into play as you work through the levels. And of course, cake is your prize for completing all 6 levels!
Overall, I'd say this game does a fantastic job of challenging developers to think about the various ways that Cross-Site Scripting can be introduced into an application. It combines two very important skill sets for those working in application security: code review analysis and dynamic testing, both of which are needed to fully assess the security of a web application.
Are you up for the challenge? https://xss-game.appspot.com/
Eric Johnson is a security consultant at Cypress Data Defense, and an instructor and contributing author for the SANS DEV544 Secure Coding in .NET course. He previously spent six years performing web application security assessments for a large financial institution, and another four years focusing on ASP .NET web development. Other experience includes developing security tools, secure code review, vulnerability assessment, penetration testing, risk assessment, static source code analysis, and security research. Eric completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University. Eric currently holds the CISSP, GWAPT, and GSSP-.NET, certifications and is located in West Des Moines, IA. Follow Eric on Twitter @emjohn20.
