Ma Spaghet! PwnFunction XSS Solution

Let’s Start with New XSS game that will teach one of the most famous vulnerabilities in Web apps, PwnFunction XSS.

Although the game is not maintained anymore but it teaches a lot about XSS, you can access this level from here

This level is an easy one, it has the following code in JavaScript

PwnFunction XSS Ma Spaghet Code

So let’s understand what this code does:

  • new URL(location).searchParams.get(‘somebody’) : The following code will get a “GET” parameter called somebody
  • if the above one was empty then we will use “Somebody” as our default value.
  • Then we will add the value we selected to “Touch My Spagheti!”

What we can see in the above is that the value of the GET parameter is not being sanitized or checked at all and it’s being outputted as HTML code by using “innerHTML” that is vulnerable to XSS.

so in general, what we need to do is to pop “1337” by using alert function, so let’s do it.

Let’s start by the basic and adding the basic script code

?somebody=<script >alert(1)</script>

We can see that nothing happens, let’s try to see if we can add any other html tag


and perfect, we can see that the tag taking effect, so let’s start doing it with HTML tag instead of script by using events.

let’s use ‘onerror’ event, i like to use PortSwigger cheat sheet that helps a lot, you can access it from here

there are a lot of methods for ‘onerror’ event but we will take the following one

<img src onerror=alert(1337)>

but let’s understand how this code works, the ‘onerror’ will fire wen the source of the image is not loaded properly, and since we’re not putting any src to our img tag, or you can use wrong source that doesn’t exist then the script will run and the alert will be executed.

And that’s how you solve Ma Spaghet! level in Pwnfunction XSS Game