Security Experts:

Connect with us

Hi, what are you looking for?



Google Launches Game to Teach XSS Bug Discovery Skills

Google has launched a new game to teach Web application developers how to spot cross-site scripting (XSS) bugs in their code.

Google has launched a new game to teach Web application developers how to spot cross-site scripting (XSS) bugs in their code.

XSS vulnerabilities are highly common in websites, but can be quite dangerous. In fact, Google pays up to $7,500 for XSS bugs discovered in important products.

The XSS Game, which requires a modern web browser with JavaScript and cookies enabled, is mainly addressed to Web application developers who don’t specialize in security. However, Google believes that while security experts might find the first levels easy, they could also learn a few things.

XSS Atacks

“This security game consists of several levels resembling real-world applications which are vulnerable to XSS – your task will be to find the problem and attack the apps, similar to what an evil hacker might do,” Google noted.

“XSS bugs are common because they have a nasty habit of popping up wherever a webapp deals with untrusted input. Our motivation is to highlight common coding patterns which lead to XSS to help you spot them in your code.”

For example, the first level, which is called the “Hello, world of XSS,” consists of a simple website with a search feature. Users must find a way to make the vulnerable application execute arbitrary JavaScript code. Up to three hints are provided, the source code and network traffic being available for analysis just like on a regular website.

Google admits that users can cheat at the game by accessing page internals in developer tools or by editing HTTP traffic.

“Cross-site attacks are dangerous because of what they do, but also because the three distinct types of each strike from different angles,” Chris Hinkley, a Senior Security Engineer at FireHost, explained in a late 2012 SecurityWeek column.

Cross-site scripting (CSS) can either be persistent or reflected, and cross-site request forgery (CSRF), where attackers use an authenticated session on one Website to perform unauthorized actions on another site, are also especially dangerous.

“Cross-site scripting is harmful in either of its two forms, but persistent cross-site scripting packs slightly more poison due to its widespread reach,” Hinkley noted. “An example of persistent cross-site scripting would be when an attacker posts a comment to a blog that would include a malicious JavaScript payload – essentially embedding it in that page.”

The XSS Game is not the first security game from Google. Back in 2010, the company released Gruyere, a small web application designed to teach developers how to identify XSS, CSRF, information disclosure, denial-of-service (DoS), and remote code execution vulnerabilities, and how to protect a website against these types of attacks.

RelatedRecently-Patched HTML Sanitization Flaw Linked to Hotmail XSS Vulnerability

RelatedCrossing XSS Off Your Threat Landscape

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet