[6/6] Level 6: Final Challenge
Mission Description
This is the final challenge! This level combines multiple XSS concepts. The application loads external "gadgets" via URL parameters and uses a complex sanitization function that has a bypass vulnerability.
Mission Objective: Find a way to bypass the sanitization and execute JavaScript through the gadget parameter.
Gadget Store
Clock
Weather
Calculator
Notes
Hints
The application loads gadgets via the
?gadget= URL parameter.
Look at the source code to see how it sanitizes input.
The sanitizer blocks
<script> tags, but it's
case-sensitive. Can you think of other ways to execute JavaScript in HTML?
The sanitizer doesn't block all event handlers. Try:
?gadget=<svg/onload=alert('XSS')>
function sanitize(input) {
// Attempt to sanitize input (FLAWED!)
return input.replace(/<script>/gi, '')
.replace(/javascript:/gi, '');
}
function loadGadgetFromURL() {
const params = new URLSearchParams(window.location.search);
const gadget = params.get('gadget');
if (gadget) {
const display = document.getElementById('gadget-display');
// VULNERABLE: Weak sanitization allows bypass
display.innerHTML = sanitize(gadget);
}
}