Siemens Future Minds CTF — Cupcake Magdalena

Cupcake Magdalena was a challenge during Siemens’ Future Minds CTF. It was in the Web category and had the following description:

Solving the challenge

The challenge presented a web page with a functionality to submit a review. After submitting the review an admin is going to look at the review. So I have tried to inject a XSS payload to read the admin’s sessions cookie.

The following Javascript code will read the user’s cookie and send it via a GET request to a web server which I have set up in prior.

For that I have intercepted a request to /api/reviews/add and added my payload into the “name” and “review” parameter:

Finally I was able to retrieve the flag. It seems like both parameters / forms are vulnerable to XSS as I have retrieve the flag twice

Siemens Future Minds CTF — Cupcake Magdalena

Solving the challenge

More from Rabbit

Recommended from Medium

Flux Architecture

Azure integrate with Angular

How we made our React Native tests run 5x faster

3 Sayings for All Programmers from the OGs

6 Promise Problems that Front-end Engineers Should Master for Interviews

JS Program to check leap year

Be aware of your routes with RouteAware — Flutter!

How to migrate from Gatsby to Remix

Get the Medium app

Rabbit

More from Medium

Siemens Future Minds CTF — VaxRegister

Exploit CVE-2019–18634: HackerNote Walkthrough

[TryHackMe] Web Enumeration Room Walkthrough — Part 3

CTF Walkthrough | TryHackMe | Sputnik8o