Let's start by warming a little bit! I love planets and I hate sheets so I made this website to show my favorite planets. Flag is in admin cookie.
Link: http://20.233.9.240:1337
In this challenge our input is reflected into an XSL document. For instance:
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheetversion="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:templatematch="/">
<html>
<body>
<h2>Planets</h2>
<p>
OUR INPUT <xsl:for-eachselect="catalog/cd">
<xsl:value-ofselect="title"/>
<xsl:iftest="position() < last()-1">
<xsl:text>, </xsl:text>
</xsl:if>
<xsl:iftest="position()=last()-1">
<xsl:text>, and </xsl:text>
</xsl:if>
<xsl:iftest="position()=last()">
<xsl:text>!</xsl:text>
</xsl:if>
</xsl:for-each>
</p>
</body>
</html>
</xsl:template>
β
</xsl:stylesheet>
When rendered in the browser, this yields an error.
Since the Content-Type is text/xsl, we can use <x:script> to perform XSS (source).