Tags: web xss
Rating: 4.7
#### Several vulnerabilities needs to be chained to achieve XSS.
First, the server is vulnerable to a JSON injection (you can add arbitrary fields to dweed objects), which can be used to craft arbitrary `id`.
Second, the templating framework used by the challenge filters all values in HTML context, even if they are used in a Javascript context instead.
Third, the additional filter on `id` field can be bypassed by abusing the 'recursiveness' of the `populate function` (which is used to populate a template from a Javascript object) : if `foo` field is set to `${bar}`, the template will then try to replace `${bar}` by the `bar`'s field.\
We can use this, to 'redirect' the injection from the `id` parameter (filtered) to a non-filtered one (like `title` for example).
