webhard

Personal Blog

uoftctf2026

Task: Node.js blog app with DOMPurify-sanitized post saving, an unsanitized autosave endpoint, magic link auth, and non-httpOnly cookies visited by an admin bot. Solution: Injected stored XSS via the unsanitized /api/autosave, used magic link to capture the admin's session in sid_prev cookie, then performed a cookie swap attack to fetch /flag as admin and save it to the attacker's post.

$ ls tags/ techniques/
xsssession_hijackingstored_xssadmin_botcookie_theft
autosave_xss_bypassmagic_link_session_leakcookie_swap_attack
🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]