Client XSS Exercise-10


Data Flow

Source of Data Data from Source Data to Sink Sink causing Execution
location.href HTMLElement.innerHTML
window.name

Vulnerable Code



    let urlParts = location.href.split("?");
    if (urlParts.length > 1) {
        
        let queryString = urlParts[1];
        let queryParts = queryString.split("&");
        let userId = "";
        for (let i = 0; i < queryParts.length; i++) {
            
            let keyVal = queryParts[i].split("=");
            if (keyVal.length > 1) {
                if (keyVal[0] === "user") {
                    
                    userId = keyVal[1];
                    break;
                }
            }
        }
        if (userId.startsWith("ID-")) {

            userId = userId.substr(3, 10);
            userId = userId.replace(/"/g, "&quot;");
            let windowValueToUse = window.name.replace(/"/g, "&quot;");
            let msg = "<a href=\"" + userId + windowValueToUse + "\">Welcome</a>!!";
            document.getElementById("msgboard").innerHTML = msg;
        }
    }