MD-Notes - InCTF Internationals 2021 Yadhu Krishna M 2021-08-14 Web Exploitation tl;dr Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256(''). Create an XSS payload to read /api/flag and send it to attacker server. Read More InCTFi XSS JavaScript