tl;dr Create a note with meta redirect tag to get callback. Leak the flag using search functionality. ...

tl;dr Use DNS Rebinding attack to read flag from /flag endpoint. ...

tl;dr XSS using DOM Clobbering <a id="showInfos"></a><a id="SETTINGS" name=check data-timezone="aaa" data-location="eval(window.name)"><a id="SETTINGS" name="x"> Bypass CSRF protection to execute XSS and read flag. ...

tl;dr Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256(''). Create an XSS payload to read /api/flag and send it to attacker server. ...

First of all, a big shoutout to the challenge author. All the challenges in this set are available here. Analysis Going through the challenge source, we can see that two JavaScript files are imported. 1 2 <script src="https://raw.githack.com/stretchr/arg.js/master/dist/arg-1.4.js"></script> <script src="js/main.js"></script> arg-1.4.js is a popular library for parsing URL parameters. And main.js has the following content. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 let data = { small: "Hi, there!...