Tags: proxy web couchdb xss jwt 

Rating: 5.0

Abuse JWU claim misuse in combination with unrestricted file upload to gain admin access. Perform request smuggling to bypass HAproxy ACL rules and use XSS to let puppeteer retrieve admin secret from CouchDB REST API.

Original writeup (https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/steamcoin/).