Data Flow
| Source of Data |
|
Data from Source |
|
Data to Sink |
|
Sink causing Execution |
| location.href |
|
|
|
|
|
HTMLElement.innerHTML |
| window.name |
|
|
|
Vulnerable Code
let urlParts = location.href.split("?");
if (urlParts.length > 1) {
let queryString = urlParts[1];
let queryParts = queryString.split("&");
let userId = "";
for (let i = 0; i < queryParts.length; i++) {
let keyVal = queryParts[i].split("=");
if (keyVal.length > 1) {
if (keyVal[0] === "user") {
userId = keyVal[1];
break;
}
}
}
if (userId.startsWith("ID-")) {
userId = userId.substr(3, 10);
userId = userId.replace(/"/g, """);
let windowValueToUse = window.name.replace(/"/g, """);
let msg = "<a href=\"" + userId + windowValueToUse + "\">Welcome</a>!!";
document.getElementById("msgboard").innerHTML = msg;
}
}