SourceCodester MatchMaster Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester's MatchMaster application version 1.0. This issue allows remote attackers to inject arbitrary web scripts or HTML. The vulnerability arises from the application's inadequate sanitization of user input in test titles and matching pair items, which is not properly cleaned before being displayed in the DOM during test execution. Exploitation requires convincing a victim to engage with a maliciously crafted matching test.

Impact

Successful exploitation allows for Cross-Site Scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, open the MatchMaster application and create a custom test. Inject a payload, such as a button element with an onclick event, into the test title or matching pair items. After creating the test, click 'Check Answers' to render the injected payload in the matching interface. When the payload is clicked, the injected script executes, demonstrating the XSS vulnerability.

Remediation

Users are advised to sanitize and encode user input before inserting it into the DOM. The application should use 'textContent' or 'innerText' for plain text, and if HTML is allowed, a robust sanitizer should be employed to disallow dangerous elements and attributes. Additionally, a Content Security Policy (CSP) should be applied to restrict inline script execution.