The Roundhouse Society
A volunteer-run heritage railroad museum. The exhibits catalog has a tidy little search feature — the server-rendered page is the same every time, but the results header changes the moment you start typing.
The Scenario
The Roundhouse Society is a small heritage-railroad museum, chartered in 1973 and run almost entirely by volunteers. Three operating steam locomotives, a working roundhouse, weekend service April through October, admission $14. A retired signals engineer rewrote the catalog page over a winter — he was proud that the server stayed dumb and the "live feel" of the search box ran entirely in the visitor's browser. The URL, he liked to point out, was the whole state of the page.
Challenge Intel
Synopsis
DOM-based XSS — a bundled catalog.js reads location.search and writes the q parameter into innerHTML without escaping.
What It Is
The vulnerable surface is /static/catalog.js. It reads URLSearchParams(location.search).get('q') and writes 'Results for "' + q + '"' into #results-header via innerHTML with no escaping or sanitisation. The PHP /catalog.php page never reads ?q= server-side — the entire vulnerability lives in the bundled client script. Because <script> tags injected through innerHTML don't execute, the payload must use an HTML element with an event handler (e.g. <img src=x onerror=...>). A Content-Security-Policy-Report-Only header on every response causes the inline-script violation to be reported to /__csp-report.php, which marks the session solved.
Who It's For
Players who understand reflected XSS and want to see a server that does not reflect at all — pure client-side sink.
Skills You'll Practice
- Recognising DOM-based XSS where server-side source is empty
- Reading bundled JS to identify URL-driven sinks
- Choosing payloads compatible with innerHTML (HTML attributes with event handlers, not <script>)
What You'll Gain
- Familiarity with location.search → innerHTML as a sink
- The script-tag-doesn't-execute-inside-innerHTML quirk
- Confidence to view-source and inspect bundled assets before assuming the server is reflecting
Ready to hack The Roundhouse Society?
This challenge is free. Sign up and start hacking.