Tags: web
Rating: 4.7
Thanks, Midnight Sun CTF team for this amazing CTF and also for providing payload for this challenge without that this writeup could not have been possible.
### Code: http://crossintheroof-01.play.midnightsunctf.se:3000/?source
```php
<script>
setTimeout(function(){
try{
return location = '/?i_said_no_xss_4_u_:)';
nodice=;
}catch(err){
return location = '/?error='+;
}
},500);
</script>
<script>
/*
payload:
*/
</script>
<body onload='location="/?no_xss_4_u_:)"'>hi. bye.</body>
```
# Explanation: #
## Part 1
In the above code 1st part is PHP code which checks what parameter is passed and according to that it loads the page.
For Ex. this source code page is accessed by passing the source parameter.
(http://crossintheroof-01.play.midnightsunctf.se:3000/?source)
And it also removes harmful characters.
And when parameter XSS is passed it skips page loading portion, So this part of code has no use to us because we are going to use the XSS parameter.
## Part 2:
In the above code, payload XSS is reflected at three places, try block, catch block and comment section.
Let ?xss=alert(1)
Then Try block will not even execute this code due to return call before it, and catch block will not be called because no error happens and comment is just comment, So no XSS.
### Payload:
#### Decoded:
http://crossintheroof-01.play.midnightsunctf.se:3000/?xss=alert(1);let location=1;
