Rating: 5.0
When loading the provided site, we're met with a pretty much blank (more on that later) page running the following script:
The first part of the challenge is to obtain control of the attributes of the inserted element, made difficult because the script appears to be checking for an attrs cookie that we have no ability to set, since we only get to set the tag cookie.
The setCookie function looks sane, and in fact the document.cookie API can only set one cookie at a time, so there is no way to set the attrs cookie in addition to the tag cookie here.
The getCookie function, however, has a problem. In the case of the attrs cookie, it will search for the string attrs= in the cookie and return everything up to the next semicolon. However, this check doesn't require that attrs be its own cookie -- the string attrs= could simply appear in another cookie, and that would be picked up! Further, since setElement truncates the tag to the first character, we can insert the attrs bit in the tag cookie without ruining our HTML!
**Full Writeup:** [https://github.com/pwning/public-writeup/tree/master/rwctf2019/mission_invisible](https://github.com/pwning/public-writeup/tree/master/rwctf2019/mission_invisible)
