Siemens Future Minds CTF — Cupcake Magdalena
Cupcake Magdalena was a challenge during Siemens’ Future Minds CTF. It was in the Web category and had the following description:
Solving the challenge
The challenge presented a web page with a functionality to submit a review. After submitting the review an admin is going to look at the review. So I have tried to inject a XSS payload to read the admin’s sessions cookie.
For that I have intercepted a request to /api/reviews/add and added my payload into the “name” and “review” parameter:
Finally I was able to retrieve the flag. It seems like both parameters / forms are vulnerable to XSS as I have retrieve the flag twice