XSS with small image?
Beginner Hint1: About the Admin Bot
- In this challenge, you are given not only the web application itself, but also an admin bot.
- The admin bot has a cookie containing the flag, and it opens a specified path using Headless Chrome.
- Therefore, your goal is to make the admin bot trigger your payload and send the cookie value to an external server.
- You can prepare your own server as the destination, or use an existing service that lets you receive and inspect HTTP requests.
- If you are still not familiar with how to use the admin bot or how to inspect incoming requests, it may help to first solve Fushigi Crawler and read its writeup.
Beginner Hint2: Overview of the Challenge
- Using
POST /api/upload, you can upload a file to the server. Try uploading the sample files included with the challenge distribution. - In
/file, you can view the uploaded file. It usesGET /api/file/<file_id>to get the content of the file, andGET /api/filename/<file_id>to get the original filename of the file.
Beginner Hint3: Approach
original_filenamelooks like it is escaped usinghtml.escape. This is because the value returned in/api/filename/<file_id>is directly inserted into HTML usinginnerHTML.- So the intended path is not to inject through a malformed filename.
- Look carefully at how
file_idis used in/file, and see how it can be abused.