I found the below JS script in the CTF website's source code. If I understand the script correctly, after the website is loaded, getParameterByName function is called which returns the value of focus URL parameter.
Subsequently, the value is treated as a selector on which focus() function is called. So for example, appending ?focus=#search to the base URL highlights the input with id 'search'.
function getParameterByName(name, url) {
if (!url) url = window.location.href;
name = name.replace(/[\[\]]/g, "\\$&");
var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
results = regex.exec(url);
if (!results) return null;
if (!results[2]) return '';
return decodeURIComponent(results[2].replace(/\+/g, " "));
}
$(document).ready(function() {
// Focus field specified in focus column
var selector = getParameterByName("focus");
$(selector).focus()
// Override submit functio
$("#search_form").submit(function(e) {
$("#output").text("submitting");
var form = $(this);
var url = form.attr('action');
$.ajax({
type: "POST",
url: url,
data: form.serialize(),
// serializes the form's elements.
success: function(data) {
$("#output").text(data);
}
});
e.preventDefault(); // avoid to execute the actual submit of the form.
});
});
I've tried modifying the URL with passing an input element with onFocus but without success.
https://example.org/?focus=<input type='text' onFocus='alert(1)'>
Also, tried escaping the string to call the alert inside the focus.
https://example.org/?focus=#search").focus(function(){alert(1)});).focus()
Or adding onFocus attribute.
https://example.org/?focus=#search").attr('onFocus', 'alert(1)').focus();
All the above attempts failed. I searched Google for JQuery selector sink but I didn't find anything useful. Can you please point out what am I doing wrong?
