Sourcecodester Domain Availability Checker DOM-Based Cross-Site Scripting Vulnerability

A DOM-based Cross-Site Scripting vulnerability has been identified in Sourcecodester Domain Availability Checker version 1.0. The issue arises in the DomainCheckerApp class within the domain/script.js file, where user-supplied data is improperly handled in the createResultElement method. The application uses the unsafe innerHTML property to render domain search results, allowing for the execution of malicious scripts in the user's browser.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could lead to the theft of session cookies or authentication tokens, account takeover, unauthorized actions performed on behalf of the victim, phishing attacks, or client-side defacement.

Reproduction

To reproduce this vulnerability, enter a crafted image tag with an onerror event into the domain input field. After the application processes the input and returns it in the results array, the injected script will execute due to the use of innerHTML in the script.js file.