Challenges

XSS

Perform a persisted XSS attack.

Because SecureBank uses DataTables for presenting data, and DataTables by default don't escape any HTML, you can perform an XSS anywhere on the site where DataTables are used. You just need to create a new transaction with<iframe src="javascript:alert(1)"> set for Reason or Reference.
On the /PortalSearch search for <iframe src="javascript:alert(1)"> .

You will find the flag in the response header.

Last updated 4 years ago