Tags: web xss 

Rating: 4.7

#### Several vulnerabilities needs to be chained to achieve XSS.

First, the server is vulnerable to a JSON injection (you can add arbitrary fields to dweed objects), which can be used to craft arbitrary `id`.

Second, the templating framework used by the challenge filters all values in HTML context, even if they are used in a Javascript context instead.

Third, the additional filter on `id` field can be bypassed by abusing the 'recursiveness' of the `populate function` (which is used to populate a template from a Javascript object) : if `foo` field is set to `${bar}`, the template will then try to replace `${bar}` by the `bar`'s field.\
We can use this, to 'redirect' the injection from the `id` parameter (filtered) to a non-filtered one (like `title` for example).

Original writeup (https://0xukn.fr/posts/writeupkipodafterfreectf2020dweeder/).