Notice that the home page uses a client-side cookie called
lastViewedProduct, whose value is the URL of the last product page that the user visited.
Go to the exploit server and add the following
iframeto the body, remembering to replace
YOUR-LAB-IDwith your lab ID:
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/product?productId=1&'><script>print()</script>" onload="if(!window.x)this.src='https://YOUR-LAB-ID.web-security-academy.net';window.x=1;">
- Store the exploit and deliver it to the victim.
The original source of the
iframe loads for the first time, the browser temporarily opens the malicious URL, which is then saved as the value of the
lastViewedProduct cookie. The
onload event handler ensures that the victim is then immediately redirected to the home page, unaware that this manipulation ever took place. While the victim's browser has the poisoned cookie saved, loading the home page will cause the payload to execute.