CyCTF News Revenge: NoSQLi Auth Bypass → XML Content-Type Bypass → Stored XSS → Admin Cookie Exfiltration

Phase 2: User Enumeration

From the same endpoint, I learned a valid username exists:

• user1

At this point, authentication becomes the next target.

Phase 3: NoSQL Injection Authentication Bypass

I navigated to the login page and submitted:

• Username: user1
• Password: anything Then intercepted the request using Burp Suite.

Original JSON body

Modified payload (NoSQLi)

This turns the backend query into something equivalent to:

Which always evaluates to true if the password field exists.

Result:

Successfully logged in without knowing the password.

Phase 4: Comment Functionality Recon

After login, I inspected article behavior.

Article 1

• Comment submission result: “Comment submitted for admin review!”

This strongly suggests admin will view the page and potential stored XSS execution context.

Article 2

• Comment submission is immediately published
• No admin review required

This makes Article 2 the ideal testing ground.

Phase 5: Initial XSS Attempt (Blocked)

I tried a basic payload:

Result: HTML tag not allowed

Clearly, a filter is in place.

Phase 6: Content-Type Filter Bypass

Instead of attacking the payload, I attacked the parser.

Strategy

• Intercept comment POST request
• Change Content-Type
• Switch body from JSON to XML

Modified Header:

XML Payload

Result

• Comment accepted
• Script executed
• Stored XSS achieved

The filter only existed in the JSON handling path.

Phase 7: Weaponizing XSS (Admin Cookie Exfiltration)

Now the real target: admin cookies. Since Article 1 comments are reviewed by admins, I placed the payload there.

Final Payload

Once the admin reviewed the article, the payload executed in admin context.

Phase 8: Flag Capture

Admin cookies were successfully exfiltrated to my webhook.

Why This Chain Works?

• NoSQL auth logic trusted user input
• Filters were applied only to JSON
• XML parser bypassed validation entirely
• Stored XSS executed in a high-privilege admin session
• Cookies were accessible (no HttpOnly)

Real-World Fixes

• Use strict schema validation for MongoDB queries
• Never pass raw user input directly into NoSQL queries
• Apply identical validation across all content types
• Disable XML unless explicitly required
• Set cookies with HttpOnly, Secure, SameSite

Closing

One parser, one unchecked operator, one missing cookie flag, and the admin hands you the keys.