XSS vulnerable app 002-c

Sep 25, 2019   Update: Aug 28, 2021

Usernames in this app are alphanumeric characters. Anything which is not alphanumeric will be rejected.

Enter your username:

HTML
CSS
JavaScript
<center>
Enter your username:
<p>
  <input type="text" id="input"/>
  <div id="screen"></div>
</p>
</center>

document.querySelector('#input').addEventListener('keyup', function(e) {
  if (e.keyCode === 13) {
    const username = document.querySelector('#input').value;
    let tagString;
    if (!username.match(/^[a-zA-Z0-9]+$/)) {
      tagString = 'NO HACKING!';
    } else {
      tagString = `<div data-user=${username}>Hi ${username}!</div>`;
    }
    const range = document.createRange();
    range.selectNode(document.getElementsByClassName('applet').item(0));
    const documentFragment = range.createContextualFragment(tagString);
    document.querySelector('#screen').appendChild(documentFragment);
  }
});

#input {
  font-size: 16px;
  height: 26px;
  width: 100%;
  margin-bottom: 10px;
  padding: 20px;
}
.applet-html {
  padding: 20px;
}
.applet {
  margin-bottom: 20px;
}

Takeaways and notes#

  • Is there a way to hack this app?
Tweet this | Share on LinkedIn |