#CTF #DerpCon #RunCode
SecureMessage appears to be a messaging platform where you can send messages to other users. Another app just asking to be XSS'd. We can send messages to ourself, so that's a pretty decent testing ground to see if we can get some
working. I'll start by sending some basic XSS to myself, using differing payloads just in case one hits and the other does not.
Hitting the Get Messages button shows us the new message and a read button. No
but we should look at the message itself.
Interesting. It looks like the subject is stripping away the
tags and the message portion is being
so we can pretty much just discard it.
There's about 5000 ways around this, but let's do the dumb one! Maybe we can get away with nesting the
tags like so <<script>script>.
We get a little different result when we view our message list this time..
Then when we open the message itself….
MONEY!! Now, we'll craft up a slight variation on what we used for Khanslist
When it lands on our listener, we'll see two requests with the payload encoded (that would be the view messages page) and a third hit with the admin
where the admin viewed our message!
So we load up that shiny new cookie and check our messages. Wewt, got a flag..