[4/6] Level 4: Script Context
Mission Description
This level demonstrates XSS in JavaScript context. User input is being placed directly into a JavaScript string without proper escaping. You need to break out of the string context to execute your own code.
Mission Objective: Manipulate the URL parameter to execute JavaScript from within the script context.
Timer Application
00:00
Hints
The URL parameter
?timer= is being inserted into a JavaScript
string. Look at the source code to see how it's used.
You need to escape the string context first. Use a single quote
(
') to close the string, then a semicolon (;) to
end the statement.
Try this URL:
?timer=';alert('XSS');//
function initTimer() {
const params = new URLSearchParams(window.location.search);
const timerValue = params.get('timer') || '60';
// VULNERABLE: User input in JavaScript string without escaping
eval("var defaultTime = '" + timerValue + "';");
if (defaultTime) {
document.getElementById('seconds').value = defaultTime;
}
}
initTimer();