XSS vulnerable app 003-a
Sep 25, 2019 Update: Aug 28, 2021
No user-submitted input written on the page. They are just assigned to a harmless variable in the accompanying JavaScript code.
HTML
CSS
JavaScript
<center>
Enter your username:
<p>
<input type="text" id="input"/>
<div id="screen"></div>
</p>
</center>
document.querySelector('#input').addEventListener('keyup', function(e) {
if (e.keyCode === 13) {
const input = document.querySelector('#input').value;
const screen = document.querySelector('#screen');
const script = document.createElement('script');
script.type = 'text/javascript';
const code = `
var user = '${input}';
document.querySelector('#screen').innerHTML = code;
`;
try {
script.appendChild(document.createTextNode(code));
screen.appendChild(script);
} catch (e) {
script.text = code;
screen.appendChild(script);
}
}
});
#input {
font-size: 16px;
height: 26px;
width: 100%;
margin-bottom: 10px;
padding: 20px;
}
.applet-html {
padding: 20px;
}
.applet {
margin-bottom: 20px;
}Takeaways and notes#
- Eg:
'-alert(1)-'