webPromedium
Lab 245 — MetriView — Reflected XSS via Open Redirect Chain
hackadvisor
Task: MetriView monitoring platform (Express/Node.js) with open redirect at /auth/redirect accepting encoded path traversal, and reflected XSS at /api/snapshot/render via unescaped title parameter. Solution: chain open redirect through path traversal to reflected XSS endpoint, use double-encoded %252B to survive redirect decoding, exfiltrate admin cookies via document.location redirect to notes API, retrieve flag from admin's cookies.
$ ls tags/ techniques/
path_traversalnodejsxsscookie_stealingnginxexpressadmin_boturl_encodingdouble_encodingreflected_xssdecoy_flagopen_redirectsame_origin_exfiltrationredirect_chainsnapshot_render
admin_bot_exploitationdouble_url_encoding_bypassreflected_xss_via_unescaped_title_parameteropen_redirect_path_traversal_bypasscookie_exfiltration_via_document_locationsame_origin_data_exfiltration_via_notes_apiredirect_chain_to_xss
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]MetricFlow — DOM XSS via Prototype Pollution Gadget— hackadvisor
- [web][Pro]Lab 78 — MetricVault — NoSQL Injection in Login Authentication— hackadvisor
- [web][Pro]Lab 73 — NetShield — Reflected XSS via 404 Page Attribute Injection— hackadvisor
- [web][Pro]Lab 248 — PulseBoard — Next.js Middleware Authorization Bypass— hackadvisor
- [web][Pro]Lab 24 — SheetMetric — XXE via Malicious Excel Upload— hackadvisor