## Exploit

1. There is a clickable image that links to `http://10.0.2.15/?page=media&src=nsa`
1. The application uses the `src` query parameter as the value of the `data` attribute of an `<object>` element **without validation**
1. Thus, one can exploit XSS by supplying a `data:` URL instead of the expected image reference (nsa) in `src`
1. Request `curl "http://10.0.2.15/?page=media&src=data:text/html;base64,$(echo -n '<script>alert(123)</script>' | base64)" | grep flag` to get the flag.

## Fix

[https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html]()

Do not place untrusted user input directly into the `data` attribute of an `<object>` element. Only allow strict server-side mapping to expected media resources, and reject dangerous schemes such as `data:` and `javascript:` (i.e. sanitize user input).