tl;dr:
- The report url feature allows javascript: urls
- Chrome pop-up blocker doesn't seem to apply here, so you can launch multiple windows
- Open the original note in a named pop up window:
window.open( 'https://tbdxss.chal.perfect.blue/note', 'first' )
- Launch a second window that goes to a self-submitting form to change the note to our malicious js [No CSRF token is present in challenge]
- Open another window pointing to the note page to run our malicious js
- Since the two windows are in the same origin, you can read the original window's contents from the new notes page via
window.open('', 'first').document.body.innerHTML
See full write up for more details.
Original writeup (https://bawolff.blogspot.com/2021/10/write-up-pbctf-2021-tbdxss.html).
