Tags: xss 

Rating: 0

tl;dr:
1. Notice XSS in the order form
2. Split payload into multiple fields and call via eval() to avoid length checks
3. Get the flag by forcing admin to put it in our cart

Full writeup: https://github.com/p4-team/ctf/tree/master/2017-11-09-defcamp-final/fedora_shop