Intigriti 0224: Cupid's Arrow Strikes: XSS to the Heart of the Admin

# **Cupid's Arrow Strikes: XSS to the Heart of the Admin** ## **Introduction** In a realm of digital love notes, the Intigriti Love Letter Storage offered a challenge as sweet as a first date, with the promise of swag that would warm even the coldest hacker's heart. This writeup is a tale of affection, not between star-crossed lovers, but between a Bug Bounty Hunter and the elusive XSS vulnerability hidden within the heart of the application. ## **The Encounter** As with any budding romance, our first encounter was all about exploration and understanding. The Love Letter Storage promised a safe haven for those tender confessions, guarded by a watchful admin who would only ever lay eyes on links that whispered the domain of trust. With the source code as our love letters, we delved into the poetry of JavaScript, finding solace in the endpoints **`/setTestLetter`** and **`/readTestLetter`**. These endpoints, like the initial exchanges of glances, held the potential for something more—a vulnerability waiting to be explored. ## **The Flirtation** Our flirtation began with a dance around character encoding, a masquerade ball where characters could don different masks. We discovered that our dear admin's eyes could be deceived by the grace of **`DOMPurify`**, only to be seduced by the charms of ASCII. A payload, innocent in its UTF-8 gown, was transformed into an ASCII rogue, bypassing the chaperone's watchful gaze: ```php Original: ¼script>¼script> Sanitized: ¼script>¼script> Encoded: B<script>B<script> ``` ## **The First Date** Our first date with the admin was set. An XSS payload, crafted with the care of a love letter, was ready to unset the very heart of the application—the secret love letter: ```jsx fetch('/unsetLetter', { method: 'POST', headers: { 'Content-Type': 'application/json', }, body: JSON.stringify({ letterId: "3" }) }); ``` And like any good suitor, we left a token of our affection, a cookie that bore our JWT, a promise of a future together: ```jsx document.cookie = "jwt=eyJhbGciOiJIUzI1Ni...; domain=.challenge-0224.intigriti.io; path=/storeLetter"; ``` ## **The Courtship** As the admin closed tabs and reopened them, our script ensured that their every move was a step towards us. When the admin found the third letter missing—like a lost love—they sought to refill the void with a letter of their own. Little did they know, they were penning it directly into our waiting arms. ## **The Union** As the admin, driven by instinct and our gentle guidance, restored the letter, it was not to their own account but to ours. Our XSS script, like Cupid's own arrow, had struck true. The secret letter was ours, and with it, the sweet victory of the challenge. ## **Conclusion** Our tale ends not with a goodbye, but with a beginning. The union of hacker and letter was not just a victory for one, but a demonstration of affection for the community—a reminder that even in the guarded halls of cybersecurity, a well-placed arrow of XSS can turn a secure stronghold into a love-struck ally. The swag may warm our bodies, but the triumph warms our souls. Until the next Valentine's day, may our hearts be secure, and our payloads be true. --- ## **Epilogue** Remember, love and security are both matters of the heart. Keep both guarded, but never forget to take a chance when the right payload comes along.