Exploiting a Blind XSS using Burp Suite


Exploiting a Blind XSS using Burp Suite

Last weekend, I participated to the qualification phase for the “Nuit du Hack 2017” CTF. We solved all the Web challenges, and I scored one of them alone, using exclusively Burp Suite Pro. Here’s the story…

The challenge is named “Purple Posse Market”, with the following description: “You work for the government in the forensic department, you are investigating on an illegal website which sells illegal drugs and weapons, you need to find a way to get the IBAN of the administrator of the website”. The application uses the “Express” web server, which hints to a NodeJS application. AngularJS v1.5.8 is used and the whole page is located inside an execution context, thanks to the root tag. A contact form is available at “/contact”. It allows to send messages to the administrator, which is said to be “currently online”.

My assumptions:
1) the vulnerability to exploit is a Blind XSS via the contact form
2) the AngularJS part is important (of course, given that v1.5.8 is used!)
3) basic HTML and JavaScript injections (using and