search

Fancy Page

hashtag
Description

web/fancy-page (by hmmm) | 436 points

http://fancy-page.hsctf.comarrow-up-right

Downloads: fancy-page.ziparrow-up-right

hashtag
Analysis

Fancy Page™ is a website which allows us to write content which is shareable.

Website allows html tags which means possible XSS attack.fancy-page-1

There's also share button Show us what you've created!arrow-up-right, which means that (most likely) we will need a cookie stealer XSS.

display.jsarrow-up-right sanitizes some keyword which could prevent XSS payloads.

function sanitize(content) {
	return content.replace(/script|on|iframe|object|embed|cookie/gi, "");
}

Sanitize happens only once

let sanitized = sanitize(Arg("content"));
content.innerHTML = sanitized;

hashtag
Solution

I used Reflected Steal Cookiearrow-up-right to create an XSS payload and beeceptorarrow-up-right to inspect requests.

oonnerror and such are writter like this because when sanitize functions removes this what is left is onerror which triggers the XSS.

Finally we share the URL and get the flag.fancy-page-2

PreviousCatNextMogodb

Last updated