Hey again (Inti)griti, hope y'all are doing well. Thanks for the challenge as usual.
The main vulnerability is a very limited XSS on line 41, whereby arbitrary data from the r
URL inserted is appended into the DOM as such ({url}
being the injection point).
If you're not being redirected, click <a href=${url}>here</a>
However, it is limited by two checks in place.
- Every single property in both
window
anddocument
object is checked for the keywordjavascript
. If found, the property is deleted entirely, leaving itundefined
(and possibly causing runtime errors). [line 5-11]