XSS vulnerable app 002-c
Sep 25, 2019 Update: Aug 28, 2021
Usernames in this app are alphanumeric characters. Anything which is not alphanumeric will be rejected.
HTML
CSS
JavaScript
<center>
Enter your username:
<p>
<input type="text" id="input"/>
<div id="screen"></div>
</p>
</center>
document.querySelector('#input').addEventListener('keyup', function(e) {
if (e.keyCode === 13) {
const username = document.querySelector('#input').value;
let tagString;
if (!username.match(/^[a-zA-Z0-9]+$/)) {
tagString = 'NO HACKING!';
} else {
tagString = `<div data-user=${username}>Hi ${username}!</div>`;
}
const range = document.createRange();
range.selectNode(document.getElementsByClassName('applet').item(0));
const documentFragment = range.createContextualFragment(tagString);
document.querySelector('#screen').appendChild(documentFragment);
}
});
#input {
font-size: 16px;
height: 26px;
width: 100%;
margin-bottom: 10px;
padding: 20px;
}
.applet-html {
padding: 20px;
}
.applet {
margin-bottom: 20px;
}
Takeaways and notes#
- Is there a way to hack this app?