SecureMessage appears to be a messaging platform where you can send messages to other users. Another app just asking to be XSS’d. We can send messages to ourself, so that’s a pretty decent testing ground to see if we can get some XSS working. I’ll start by sending some basic XSS to myself, using differing payloads just in case one hits and the other does not.
Hitting the Get Messages button shows us the new message and a read button. No alert() but we should look at the message itself.
Interesting. It looks like the subject is stripping away the script tags and the message portion is being htmlentities'd so we can pretty much just discard it.
There’s about 5000 ways around this, but let’s do the dumb one! Maybe we can get away with nesting the script tags like so <<script>script>.
We get a little different result when we view our message list this time…
Then when we open the message itself…
MONEY!! Now, we’ll craft up a slight variation on what we used for Khanslist.
When it lands on our listener, we’ll see two requests with the payload encoded (that would be the view messages page) and a third hit with the admin cookie where the admin viewed our message!
So we load up that shiny new cookie and check our messages. Wewt, got a flag… derp{silly_fixes_are_silly_sadface_dot_jpg}
