[HACK.LU-CTF] Mistune (Web)
Description : Markdown parsers are fun. Now click here and steal the cookie!
In this challenge, we have two forms to submit Markdown code that is parsed by Mistune. The first form is for testing purposes and the second one’s sent contents are read by an admin bot which has the flag in it’s cookies.
In markdown syntax, we can create a XSS payload by using the link creation directive :
We found some bypasses on Mistune’s github Issue#87 but they are inefficient since the parser is up-to-date.
After many trials and errors, we came up with a filter bypass! The mighty newline character \n ! It’s stripped out by the browser thus leading to a working XSS payload.
Boom! We got the flag!