# Xmas Still Stands
In this challenge we have a web page that have **Home Post Report
pages so we have an idea of what we have to do we post a malicious
payload that steal the cookie then report the post so that the admin
can see it and the payload executes and steal his cookie.
we first see if we can post HTML tags and we can then we post an img
tag with invalid src and tell it to send the document cookie on
error to our server or domain in this challenge lam using post bin.
when we submit the query we get the id of our post
we report the post with the post id
we now go check our bin if we got any request
we go and add these cookie from storage toolbar
we then navigate to Admin page and we get the flag